Bug 22010

Summary: shadow-utils new security issue CVE-2017-12424
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, marja11, mhrambo3501, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK
Source RPM: shadow-utils-4.4-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-11-11 01:22:48 CET 
openSUSE has issued an advisory today (November 10):
https://lists.opensuse.org/opensuse-updates/2017-11/msg00030.html

The issue is fixed upstream in 4.5.

The SUSE bug contains a link to the upstream commit that fixed the issue:
https://bugzilla.suse.com/show_bug.cgi?id=1052261

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-11-11 01:23:06 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO

Marja Van Waes 2017-11-11 13:19:30 CET

CC: (none) => marja11
Assignee: bugsquad => basesystem

Comment 1 Mike Rambo 2017-12-21 15:57:39 CET 
Patched package uploaded for cauldron, Mageia 6, and Mageia 5.

Advisory:
========================

Updated shadow-utils package fixes security vulnerability:

It was found that shadow-utils had a buffer overflow where if a buffer was left NULL for a cycle the next cycle would happily write past the entries buffer (CVE-2017-12424).


References:
https://nvd.nist.gov/vuln/detail/CVE-2017-12424
https://lists.opensuse.org/opensuse-updates/2017-11/msg00030.html
========================

Updated packages in core/updates_testing:
========================
shadow-utils-4.2.1-6.1.mga5

from shadow-utils-4.2.1-6.1.mga5.src.rpm

shadow-utils-4.4-1.1.mga6

from shadow-utils-4.4-1.1.mga6.src.rpm


Tested locally on cauldron, mga6/64, and mag5/32 before submitting to the build system.

Test procedure: https://bugs.mageia.org/show_bug.cgi?id=18984#c19

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: basesystem => qa-bugs
Version: Cauldron => 6
Keywords: (none) => has_procedure
CC: (none) => mrambo

Comment 2 Dave Hodgins 2017-12-22 08:28:18 CET 
Just testing that the update installs cleanly and a few of the commands
such as pwck still work.

Validating the update

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK
Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 Mageia Robot 2017-12-22 11:32:00 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0465.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 4 Mageia Robot 2017-12-24 15:35:00 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0465.html