Created attachment 640496 [details]
full advisory text

EMBARGOED, via distros

> Attached is an advisory about vulnerabilities we discovered in
> userhelper and libuser; we contacted Red Hat beforehand, and they have
> assigned the CVEs and prepared the patches already, and will send them
> here shortly.
> 
> As per Red Hat's request, the Coordinated Release Date for these issues
> should be fixed after 21st July 2015; feel free to choose the exact
> date, sometime around 17:00 UTC.
> 
> We are planning to publish an exploit with our advisory; if you need the
> exploit in advance for tests or QA, it can probably be arranged.
> 
> Thank you for your attention to this matter; we are at your disposal
> should you have any questions or comments: please encrypt any further
> correspondence with our PGP public key (attached).
> 
> With best regards,

The libuser issue:

> (CVE-2015-3246 libuser passwd file handling)
> 
> We discovered a bug in libuser itself: even though traditional programs
> like passwd, chfn, and chsh work on a temporary copy of /etc/passwd and
> eventually rename() it, libuser modifies /etc/passwd directly.
> Unfortunately, if anything goes wrong during these modifications,
> libuser may leave /etc/passwd in an inconsistent state.
> 
> This bug is not just another local denial-of-service: we were able to
> turn it into a local root exploit against userhelper and chfn (if linked
> with libuser).
> 
> There is also another, secondary aspect of this bug: glibc modules like
> nss and nscd do not expect /etc/passwd to be directly modified while
> they parse its contents, and programs from packages like shadow-utils
> and util-linux use lckpwdf() locks that are incompatible with libuser's
> fcntl() locks.

Full advisory text with mode details attached.
Patches to follow. CRD will be July 21, 22, or 23.