Bug 3995

Summary: libuser missing security update for CVE-2011-0002
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: cazzaniga.sandro, dmorganec, mageia, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libuser-0.56.18-4.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-01-01 20:18:31 CET 
Mandriva issued this advisory on January 26:
http://lists.mandriva.com/security-announce/2011-01/msg00022.php
Comment 1 Manuel Hiebel 2012-01-01 20:48:53 CET 
Hi, thanks for reporting this bug.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
CC: (none) => cazzaniga.sandro, mageia, thierry.vignaud

Comment 2 D Morgan 2012-01-03 02:10:49 CET 
fixed in svn.

Please test rpms in updates_testing

CC: (none) => dmorganec
Assignee: bugsquad => qa-bugs

Comment 3 claire robinson 2012-01-03 12:10:34 CET 
$ urpmq --whatrequires libuser
libuser
libuser1
passwd
userdrake


Testing x86_64

The following 2 packages are going to be installed:

- lib64user1-0.56.18-4.1.mga1.x86_64
- libuser-0.56.18-4.1.mga1.x86_64

Created a new user with userdrake

# cat /etc/passwd | grep testuser
testuser:x:501:501:Test User:/home/testuser:/bin/bash

# cat /etc/group | grep testuser
testuser:x:501:

# cat /etc/shadow | grep testuser
testuser:$2a$08$FCnQFTuULmR.4ztV1WBVL.Ch7uDVwqZiPcT3fOVPkOpBISY.toap2:15342:-1:99999:-1:::

Logged in via ssh.

Testing complete x86_64 for SRPM
libuser-0.56.18-4.1.mga1.src.rpm
Thierry Vignaud 2012-01-03 18:05:29 CET

CC: thierry.vignaud => (none)

Comment 4 David Walser 2012-01-03 23:05:35 CET 
Tested successfully on i586.
David Walser 2012-01-08 23:58:25 CET

Keywords: Triaged => validated_update
CC: (none) => sysadmin-bugs

Comment 5 David Walser 2012-01-09 11:34:36 CET 
Suggested advisory:
=====================

Updated libuser packages fix security vulnerability:

libuser before 0.57 uses a cleartext password value of (1) !! or (2) x
for new LDAP user accounts, which makes it easier for remote attackers
to obtain access by specifying one of these values (CVE-2011-0002).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0002
http://www.mandriva.com/support/security/advisories/?dis=2010.1&name=MDVSA-2011:019
=====================

Updated packages in core/updates_testing:
=====================
libuser-0.56.18-4.1.mga1
libuser-devel-0.56.18-4.1.mga1
libuser-ldap-0.56.18-4.1.mga1
libuser-python-0.56.18-4.1.mga1
libuser1-0.56.18-4.1.mga1

from libuser-0.56.18-4.1.mga1.src.rpm
=====================
Comment 6 David Walser 2012-01-09 14:00:18 CET 
Could sysadmin please push from core/updates_testing to core/updates

Thank you!

Hardware: i586 => All

Comment 7 Thomas Backlund 2012-01-09 15:24:25 CET 
update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED