CVE-2025-0374

Name of the Vulnerable Software and Affected Versions etcupdate (affected versions not specified)

Description When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file and is world-readable, applying to files that would normally have restricted visibility, such as /etc/master.passwd. An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.