Bug 15644

Summary: .rpmnew files generated in setup upgrades might make Mageia 4 users or upgraders lose their passwords and fstab
Product: Mageia Reporter: Rémi Verschelde <rverschelde>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: High CC: identity.mageia.org, stormi-mageia, sysadmin-bugs, thierry.vignaud, thkala
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: setup CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 14516    

Description Rémi Verschelde 2015-04-07 16:52:18 CEST 
As discussed at length in the dev [1] and QA [2] mailing lists, the setup update pushed to both Mageia 4 (MGASA-2015-0116 [3], mga#14516 [4], setup-2.7.20-9.1.mga4) and Cauldron (setup-2.7.21-4.mga5) could lead to unwary users emptying the contents of critical config files such as /etc/fstab and /etc/shadow.

The reason is that when updating via rpmdrake without restarting it after its priority upgrade (MGAA-2015-0028 [5], mga#14266 [6]), users would be notified of the creation of .rpmnew files for /etc/shadow (and potentially /etc/fstab and /etc/resolv.conf), and rpmdrake gives them the possibility to replace their current files by the basically empty .rpmnew files, leading to the loss of passwords and/or of the filesystem table.


[1] https://ml.mageia.org/l/arc/dev/2015-04/msg00048.html
[2] https://ml.mageia.org/l/arc/qa-discuss/2015-03/msg00399.html
[3] http://advisories.mageia.org/MGASA-2015-0116.html
[4] https://bugs.mageia.org/show_bug.cgi?id=14516
[5] http://advisories.mageia.org/MGAA-2015-0028.html
[6] https://bugs.mageia.org/show_bug.cgi?id=14266

Reproducible: 

Steps to Reproduce:
Rémi Verschelde 2015-04-07 16:52:41 CEST

Blocks: (none) => 14516

Rémi Verschelde 2015-04-07 16:53:55 CEST

QA Contact: (none) => qa-bugs

Rémi Verschelde 2015-04-07 16:54:04 CEST

Priority: Normal => High

Rémi Verschelde 2015-04-07 16:54:11 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 Thierry Vignaud 2015-04-08 08:55:23 CEST 
No need for two BR

*** This bug has been marked as a duplicate of bug 14516 ***

Status: NEW => RESOLVED
CC: (none) => thierry.vignaud
Resolution: (none) => DUPLICATE

Comment 2 claire robinson 2015-04-17 16:39:13 CEST 
Re-opening as per QA meeting. Advisory updated for bug 14516.

Current packages:

SRPM:
 - setup-2.7.20-9.4.mga4

RPMs:
setup-2.7.20-9.4.mga4.noarch

Status: RESOLVED => REOPENED
Version: Cauldron => 4
Resolution: DUPLICATE => (none)
Whiteboard: MGA4TOO => (none)

claire robinson 2015-04-17 16:41:41 CEST

Assignee: rverschelde => qa-bugs
QA Contact: qa-bugs => security

Comment 3 claire robinson 2015-04-17 16:43:04 CEST 
Advisory:
=========

Updated setup package fixes security issue

  An issue has been identified in Mageia 4's setup package where the
  /etc/shadow and /etc/gshadow files containing password hashes were created
  with incorrect permissions, making them world-readable (mga#14516).

  This update fixes this issue by enforcing that those files are owned by
  the root user and shadow group, and are only readable by those two entities.

  Note that this issue only affected new Mageia 4 installations. Systems that
  were updated from previous Mageia versions were not affected.

  This update was already issued as MGASA-2015-0116, but the latter was withdrawn
  as it generated .rpmnew files for critical configuration files, and rpmdrake
  might propose the user to use those basically empty files, thus leading to
  loss of passwords or partition table. This new update ensures that such .rpmnew
  files are not kept after the update.


References:
 - https://bugs.mageia.org/show_bug.cgi?id=14516
 - http://advisories.mageia.org/MGASA-2015-0116.html
 - https://ml.mageia.org/l/arc/qa-discuss/2015-03/msg00399.html
claire robinson 2015-04-17 16:45:10 CEST

Component: RPM Packages => Security

Comment 4 David Walser 2015-04-17 16:53:08 CEST 
*** Bug 14516 has been marked as a duplicate of this bug. ***

CC: (none) => thkala

Comment 5 David Walser 2015-04-18 17:38:36 CEST 
*** Bug 14516 has been marked as a duplicate of this bug. ***
Comment 6 Rémi Verschelde 2015-04-19 17:12:08 CEST 
Testing procedure... https://bugs.mageia.org/show_bug.cgi?id=14516#c73

OK'ing for Mageia 4 x86_64 as per https://bugs.mageia.org/show_bug.cgi?id=14516#c78

Whiteboard: (none) => has_procedure MGA4-64-OK

Comment 7 James Kerr 2015-04-20 17:42:29 CEST 
urpmi --downgrade setup
The following package has to be removed for others to be upgraded:
setup-2.7.20-9.4.mga4.noarch
 (in order to install setup-2.7.20-9.mga4.noarch) (y/N) y

I then had to manually change the ownership and permissions of the files in question so that:

ls -ll /etc/*shadow*
-rw-r--r-- 1 root root 511 Dec  9 21:35 /etc/gshadow
-rw-r--r-- 1 root root 504 Dec  9 21:35 /etc/gshadow-
-rw-r--r-- 1 root root 717 Dec  9 21:35 /etc/shadow
-rw-r--r-- 1 root root 695 Dec  9 21:28 /etc/shadow-

urpmi --media "Core Updates Testing" setup
 ftp://192.168.0.2//pub/mirror/Mageia/distrib/4/i586/media/core/updates_testing/setup-2.7.20-9.4.mga4.noarch.rpm

Which resulted in 
ls -ll /etc/*shadow*
-r--r----- 1 root shadow 511 Dec  9 21:35 /etc/gshadow
-r--r----- 1 root shadow 504 Dec  9 21:35 /etc/gshadow-
-r--r----- 1 root shadow 717 Dec  9 21:35 /etc/shadow
-r--r----- 1 root shadow 695 Dec  9 21:28 /etc/shadow-

This looks to be what is required.

OK for mga4 32
James Kerr 2015-04-20 17:43:57 CEST

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 8 Samuel Verschelde 2015-04-20 17:50:33 CEST 
Have you tested the fact that an old rpmdrake (not the latest from updates) must not mention .rpmnew files at all for this update?

CC: (none) => stormi

Comment 9 James Kerr 2015-04-20 17:57:21 CEST 
No. I've removed the OK and will retest.

Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure MGA4-64-OK

Comment 10 James Kerr 2015-04-20 18:53:08 CEST 
I downgraded setup and rpmdrake and reverted the ownership and permissions of the shadow and gshadow files.

I had to disable core/updates to prevent rpmdrake from updating itself.

I then used (the "old") rpmdrake-6.10.3-1 to update setup. 

There was no "upgrade" information offered and the ownership and permissions of shadow and gshadow  were correctly changed.

Is that what was required?
Comment 11 Samuel Verschelde 2015-04-20 19:28:01 CEST 
Yes, thanks!

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Meg Skywalker 2015-04-21 14:15:46 CEST

CC: (none) => identity.mageia.org

Comment 12 claire robinson 2015-04-22 17:30:51 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2015-04-23 23:15:03 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0162.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED