CVE-2023-40303

GNU inetutils before 2.5 may allow privilege escalation because of unchecked return values of set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the setuid system call fails when a process is trying to drop privileges before letting an ordinary user control the activities of the process.

Weakness

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

Affected Software

Name	Vendor	Start Version	End Version
Inetutils	Gnu	*	2.4 (including)
Inetutils	Ubuntu	bionic	*
Inetutils	Ubuntu	devel	*
Inetutils	Ubuntu	focal	*
Inetutils	Ubuntu	jammy	*
Inetutils	Ubuntu	lunar	*
Inetutils	Ubuntu	mantic	*
Inetutils	Ubuntu	noble	*
Inetutils	Ubuntu	oracular	*
Inetutils	Ubuntu	trusty	*
Inetutils	Ubuntu	trusty/esm	*
Inetutils	Ubuntu	xenial	*

Potential Mitigations

References

http://www.openwall.com/lists/oss-security/2023/12/30/4
https://ftp.gnu.org/gnu/inetutils/
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
https://lists.debian.org/debian-lts-announce/2023/10/msg00013.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00013.html
https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html
http://www.openwall.com/lists/oss-security/2023/12/30/4
https://ftp.gnu.org/gnu/inetutils/
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
https://lists.debian.org/debian-lts-announce/2023/10/msg00013.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00013.html
https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-40303
CWE	https://cwe.mitre.org/data/definitions/252.html

Unchecked Return Value

Weakness

Affected Software

Potential Mitigations

References