Bug 16459

Summary:	libuser new security issues CVE-2015-3245 and CVE-2015-3246
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	davidwhodgins, marc.lattemann, ottoleipala1, peter.semiletov, sysadmin-bugs
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/652362/
Whiteboard:	MGA4TOO advisory MGA4-64-OK MGA5-32-OK
Source RPM:	libuser-0.60-5.mga5.src.rpm	CVE:
Status comment:

Description David Walser 2015-07-23 20:40:55 CEST

RedHat has issued an advisory today (July 23):
https://rhn.redhat.com/errata/RHSA-2015-1483.html

More details are here:
https://securityblog.redhat.com/2015/07/23/libuser-vulnerabilities/
https://access.redhat.com/articles/1537873
http://openwall.com/lists/oss-security/2015/07/23/16

The last link has an exploit for this.

Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated libuser packages fix security vulnerabilities:

Two flaws were found in the way the libuser library handled the /etc/passwd
file. A local attacker could use an application compiled against libuser
(for example, userhelper) to manipulate the /etc/passwd file, which could
result in a denial of service or possibly allow the attacker to escalate
their privileges to root (CVE-2015-3245, CVE-2015-3246).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3246
https://securityblog.redhat.com/2015/07/23/libuser-vulnerabilities/
https://access.redhat.com/articles/1537873
http://openwall.com/lists/oss-security/2015/07/23/16
https://rhn.redhat.com/errata/RHSA-2015-1483.html
========================

Updated packages in core/updates_testing:
========================
libuser-0.60-2.1.mga4
libuser-python-0.60-2.1.mga4
libuser-ldap-0.60-2.1.mga4
libuser1-0.60-2.1.mga4
libuser-devel-0.60-2.1.mga4
libuser-0.60-5.1.mga5
libuser-python-0.60-5.1.mga5
libuser-ldap-0.60-5.1.mga5
libuser1-0.60-5.1.mga5
libuser-devel-0.60-5.1.mga5

from SRPMS:
libuser-0.60-2.1.mga4.src.rpm
libuser-0.60-5.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2015-07-23 20:41:53 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 Dave Hodgins 2015-07-24 01:00:32 CEST

Advisory committed to svn. Testing shortly.

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO advisory

David Walser 2015-07-24 17:15:51 CEST

URL: (none) => http://lwn.net/Vulnerabilities/652362/

Comment 2 Dave Hodgins 2015-07-24 18:03:13 CEST

Sorry for the delay, had a power outage here, and fell asleep.

Testing complete. Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2015-07-24 18:36:47 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0278.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 4 Otto Leipälä 2015-07-24 22:41:18 CEST

Bug in just pushed libuser can't edit user groups from mcc or manatools.

invalid content of lock /etc/shadow.lock

I reopen this bug as we need to get where that bug is.

Status: RESOLVED => REOPENED
CC: (none) => ozkyster
Resolution: FIXED => (none)

Comment 5 David Walser 2015-07-24 22:43:30 CEST

Please open a new bug if there's a regression.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 6 Dave Hodgins 2015-07-24 23:45:24 CEST

(In reply to Otto LeipÃ¤lÃ¤ from comment #4)
> Bug in just pushed libuser can't edit user groups from mcc or manatools.
> invalid content of lock /etc/shadow.lock
> I reopen this bug as we need to get where that bug is.

It might require a reboot. As I did reboot between installing the update
and testing, I'm not sure if it's needed or not.

My /etc/shadow.lock file is empty ...
# ll /etc/shadow.lock
-rw------- 1 root root 0 May 21  2013 /etc/shadow.lock

Comment 7 Otto Leipälä 2015-07-25 00:08:38 CEST

No i rebooted many times so there is real bug so don't close this yet.

Comment 8 Marc Lattemann 2015-07-25 00:13:00 CEST

I can reproduce this error in mcc, which is gone by downgrading to previous version. However as suggest by David in Comment #5, we should open a new bug for it.

CC: (none) => marc.lattemann

Comment 9 Marc Lattemann 2015-07-25 11:27:39 CEST

https://bugs.mageia.org/show_bug.cgi?id=16467

Comment 10 Otto Leipälä 2015-07-25 12:09:45 CEST

Don't need to create duplicate bug report please we can use same bug report to update and fix problem found from pushed update,as this releated to this exact package.

Comment 11 Rémi Verschelde 2015-07-25 12:15:48 CEST

(In reply to Otto LeipÃ¤lÃ¤ from comment #10)
> Don't need to create duplicate bug report please we can use same bug report
> to update and fix problem found from pushed update,as this releated to this
> exact package.

No, creating a new bug report is exactly what had to be done according to our policy. Once an update is pushed, its bug report is closed: the security issue has been fixed. If there are regressions, they need to be reported in another bug report to be fixed in another update.

Comment 12 Otto Leipälä 2015-07-25 12:21:26 CEST

Yes you are right let this bug burried to six feet under and use that new one.

Comment 13 Peter Semiletov 2015-07-29 11:48:57 CEST

This fix make Userdrake unstable - it can't normally create or delete the user.

CC: (none) => peter.semiletov

Comment 14 David Walser 2015-07-29 12:58:51 CEST

(In reply to Peter Semiletov from comment #13)
> This fix make Userdrake unstable - it can't normally create or delete the
> user.

Fix in progress, see bug 16467.