Bug 16641

Summary: util-linux new security issue CVE-2015-5224
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, shlomif, sysadmin-bugs, tmb
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/656987/
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: util-linux-2.25.2-3.mga6.src.rpm CVE:
Status comment:

Description David Walser 2015-08-24 17:54:21 CEST 
A security issue in util-linux's login-utils's chfn/chsh commands has been announced:
http://openwall.com/lists/oss-security/2015/08/24/3

Only when it's built without libuser support (like ours) is it affected.  I'm not sure why ours is built without it, when Fedora's is built with it.  I've asked about that on the dev list.

In the meantime, the upstream patch was backported to 2.25.2 and checked into Mageia 5 and Cauldron SVN.  The lib/fileutils.c portion of the patch isn't obviously backportable to 2.24.2 in Mageia 4.

Reproducible: 

Steps to Reproduce:
David Walser 2015-08-24 17:54:28 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Sander Lepik 2015-08-30 19:43:03 CEST

CC: (none) => mageia
Assignee: bugsquad => tmb

Comment 1 David Walser 2015-09-02 22:18:10 CEST 
Nobody responded to my question on the dev list about why our util-linux is built without libuser support.
Comment 2 RĂ©mi Verschelde 2015-09-04 13:39:02 CEST 
There are now some answers to the question about adding libuser support: https://ml.mageia.org/l/arc/dev/2015-09/msg00034.html

As it does not seem consensual yet, I'd suggest to just provide an update candidate to Mageia 5 with the patch you already checked in (also remove %_libdir/libuuid.la at the same time), and maybe only enable libuser support in cauldron.
Comment 3 David Walser 2015-09-04 14:20:06 CEST 
OK, this is WONTFIX for Mageia 4 then too.

Whiteboard: MGA5TOO, MGA4TOO => MGA5TOO

Comment 4 David Walser 2015-09-04 15:34:34 CEST 
Advisory:
========================

Updated util-linux packages fix security vulnerability:

The chfn and chsh commands in util-linux's login-utils are vulnerable to a
file name collision due to incorrect mkstemp usage. If the chfn and chsh
binaries are both setuid-root they eventually call mkostemp in such a way that
an attacker could repeatedly call them and eventually be able to overwrite
certain files in /etc (CVE-2015-5224).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5224
http://openwall.com/lists/oss-security/2015/08/24/3
========================

Updated packages in core/updates_testing:
========================
util-linux-2.25.2-3.1.mga5
libblkid1-2.25.2-3.1.mga5
libblkid-devel-2.25.2-3.1.mga5
libuuid1-2.25.2-3.1.mga5
libuuid-devel-2.25.2-3.1.mga5
uuidd-2.25.2-3.1.mga5
python-libmount-2.25.2-3.1.mga5
libmount1-2.25.2-3.1.mga5
libmount-devel-2.25.2-3.1.mga5
libsmartcols1-2.25.2-3.1.mga5
libsmartcols-devel-2.25.2-3.1.mga5

from util-linux-2.25.2-3.1.mga5.src.rpm

CC: (none) => tmb
Version: Cauldron => 5
Assignee: tmb => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 5 Shlomi Fish 2015-09-08 13:51:15 CEST 
Tested chsh and chfn on MGA5-64-OK . Marking as such.

CC: (none) => shlomif
Whiteboard: (none) => MGA5-64-OK

Comment 6 Shlomi Fish 2015-09-08 13:57:03 CEST 
MArking as MGA5-32-OK and validated_update.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2015-09-08 15:35:43 CEST 
Advisory uploaded.

Whiteboard: MGA5-64-OK MGA5-32-OK => advisory MGA5-64-OK MGA5-32-OK

Comment 8 Mageia Robot 2015-09-08 19:57:39 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0352.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-09-09 19:50:19 CEST

URL: (none) => http://lwn.net/Vulnerabilities/656987/