Bug 31198

Summary: shadow-utils new security issue CVE-2013-4235
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: shadow-utils-4.6-4.mga8.src.rpm CVE: CVE-2013-423
Status comment:

Description David Walser 2022-11-28 20:09:14 CET 
Ubuntu has issued an advisory today (November 28):
https://ubuntu.com/security/notices/USN-5745-1

The issue is fixed upstream in 4.13 (just updated in Cauldron).
David Walser 2022-11-28 20:09:50 CET

Status comment: (none) => Patches available from upstream and Ubuntu

Comment 1 Lewis Smith 2022-11-28 20:46:00 CET 
Thank you for updating the package in Cauldron.
So it is poised for M8: in which case, are the indicated patches still relevant?

No one packager visible for this, so assigning the M8 update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-11-30 14:09:47 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees. (CVE-2013-4235)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235
https://ubuntu.com/security/notices/USN-5745-1
========================

Updated package in core/updates_testing:
========================
shadow-utils-4.6-4.1.mga8

from SRPM:
shadow-utils-4.6-4.1.mga8.src.rpm

CVE: (none) => CVE-2013-423
Status comment: Patches available from upstream and Ubuntu => (none)
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

Comment 3 David Walser 2022-11-30 17:41:48 CET 
Are we affected by the regression that Ubuntu had to fix in this update?
https://ubuntu.com/security/notices/USN-5745-2
Comment 4 Dave Hodgins 2022-11-30 18:52:56 CET 
No sign of the regression.

Before and after installing the update, the results of useradd appear to be
the same. After installing the update ...
[root@x3 ~]# ll /home/newid
ls: cannot access '/home/newid': No such file or directory
[root@x3 ~]# useradd newid
[root@x3 ~]# ll /home/newid
total 44
-rw-r--r-- 1 newid newid  387 Dec 15  2020 .bash_completion
-rw-r--r-- 1 newid newid   24 Oct  1 15:13 .bash_logout
-rw-r--r-- 1 newid newid  208 Oct  1 15:13 .bash_profile
-rw-r--r-- 1 newid newid  124 Oct  1 15:13 .bashrc
drwxr-xr-x 2 newid newid 4096 Jan 12  2013 .gnome2/
drwxr-xr-x 2 newid newid 4096 Nov 21  2020 .italc/
-rw-r--r-- 1 newid newid  172 May  4  2018 .kshrc
-rw-r--r-- 1 newid newid 1107 Aug 21  2013 .mkshrc
drwxr-xr-x 4 newid newid 4096 Feb 13  2020 .mozilla/
-rw-r--r-- 1 newid newid 3793 Feb 27  2021 .screenrc
drwx------ 2 newid newid 4096 Feb 11  2020 tmp/
[root@x3 ~]# userdel -r newid
userdel: newid mail spool (/var/spool/mail/newid) not found
[root@x3 ~]# ll /home/newid
ls: cannot access '/home/newid': No such file or directory

We'll need to test this more thoroughly before validating.

CC: (none) => davidwhodgins

Comment 5 Herman Viaene 2022-12-10 10:27:30 CET 
MGA8-64 MATE on Acer Aspire 5253.
Before installing I checked whether this rpm was already installed in a previous version, it wasn't.
Then I read about the contents of this rpm and its commands: I find things there like adduser, pwck etc...
But these exist already on my system in /usr/sbin, adduser being a link to useradd. So if I install this rpm, it will overwrite those existing ones ???? And when I remove the rpm, the commands are gone alltogether ?????

CC: (none) => herman.viaene

Comment 6 David Walser 2022-12-10 13:17:55 CET 
There's no way you don't already have this installed.
Comment 7 Dave Hodgins 2022-12-10 19:49:43 CET 
# urpme --test shadow-utils
Removing the following package will break your system:
  basesystem-minimal-8-0.4.mga8.x86_64
   (due to missing basesystem-minimal-core,
    due to missing makedev,
    due to missing initscripts,
    due to missing cronie,
    due to missing iproute2)
Comment 8 Herman Viaene 2022-12-12 14:33:54 CET 
@David
You're right. The checkbox here is a very light grey, I overlooked the flag, indicating it caan't be removed in MCC
Installing new version works OK.
# useradd prutser
# getent passwd {1000..60000}
tester8:x:1000:1000:Tester8:/home/tester8:/bin/bash
prutser:x:1001:1001::/home/prutser:/bin/bash
# usermod -p pruts prutser
# pwck
user 'adm': directory '/var/adm' does not exist
user 'news': directory '/var/spool/news' does not exist
user 'uucp': directory '/var/spool/uucp' does not exist
user 'rpc': directory '/var/lib/rpcbind' does not exist
user 'avahi-autoipd': directory '/var/lib/avahi-autoipd' does not exist
user 'squid': directory '/var/spool/squid' does not exist
pwck: no changes
# userdel prutser
# userdel prutser
# getent passwd {1000..60000}
tester8:x:1000:1000:Tester8:/home/tester8:/bin/bash
All seem to work OK

Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2022-12-12 21:47:23 CET 
Validating. Advisory in comment 2.

"We'll need to test this more thoroughly before validating."

Dave Hodgins, if you think even more testing is needed, feel free to remove the validation.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-12-13 02:20:58 CET

Keywords: (none) => advisory

Comment 10 Mageia Robot 2022-12-13 23:10:47 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0455.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED