The shadow-mk package contains the shadow-3.3.1 package
distributed by John F. Haugh II with the shadow-3.3.1-2 patch
installed, a few fixes made by
Mohan Kokal <magnus@texas.net>
that make installation a lot easier, a patch by Joseph R.M. Zbiciak
for login1.c (login.secure) that eliminates the -f, -h security
holes in /bin/login, and some other miscellaneous patches.
The shadow.mk package was the previously recommended
package, but should be replaced due to a security problem with the
login program.
There are security problems with Shadow versions 3.3.1, 3.3.1-2,
and shadow-mk involving the login program. This login bug
involves not checking the length of a login name. This causes the buffer to
overflow causing crashes or worse. It has been rumored that this buffer
overflow can allow someone with an account on the system to use this bug and
the shared libraries to gain root access. I won't discuss exactly
how this is possible because there are a lot of Linux systems that are
affected, but systems with these Shadow Suites installed, and
most pre-ELF distributions without the Shadow Suite
are vulnerable!
The only recommended Shadow Suite is still in BETA testing, however
the latest versions are safe in a production environment and don't contain a
vulnerable login program.