HCE2-SA-2023-0223 Low HCE 2.0 Security Fix(es): In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account. (CVE-2023-29383) HCE 2.0 shadow-4.9-4.r9.hce2.aarch64.rpm shadow-help-4.9-4.r9.hce2.noarch.rpm shadow-subid-devel-4.9-4.r9.hce2.aarch64.rpm shadow-4.9-4.r9.hce2.x86_64.rpm shadow-subid-devel-4.9-4.r9.hce2.x86_64.rpm