Bug 9581

Summary: libuser new security issues CVE-2012-5630 and CVE-2012-5644
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/546514/
Whiteboard: has_procedure mga2-64-ok mga2-32-ok
Source RPM: libuser-0.57.3-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2013-04-01 01:07:29 CEST 
libuser 0.59 was released, fixing some security issues.

Freeze push for Cauldron requested.

Fedora backported a patch for 0.57.6 that might work for Mageia 2:
http://pkgs.fedoraproject.org/cgit/libuser.git/commit/?h=f17&id=78a55bf498cac0b430ba6512654860c39dfd0bf9

Reproducible: 

Steps to Reproduce:
David Walser 2013-04-01 01:07:37 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 David Walser 2013-04-02 22:53:44 CEST 
libuser 0.59 pushed in Cauldron.

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Comment 2 David Walser 2013-04-02 23:34:16 CEST 
Patch applies in Mageia 2, but it doesn't build:
http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20130402210500.luigiwalser.valstar.4305/log/libuser-0.57.3-1.1.mga2/build.0.20130402210505.log

It looks like it doesn't like the lu_util_fscreate_from_fd calls on lines 243 and 460 of apps/apputil.c.  lu_util_fscreate_from_fd is a function if compiled --with-selinux (as Fedora does), but is a macro if compiled --without-selinux (as we do).  These are defined in lib/user_private.h.
Comment 3 David Walser 2013-04-04 18:21:26 CEST 
There was a bug in the macro (which is being added in this patch), which was addressed upstream in the last commit for 0.59.  I've made the appropriate change to the patch.

Patched package uploaded for Mageia 2.

The references will be updated when Fedora's F18 update is pushed.

Advisory:
========================

Updated libuser packages fix security vulnerabilities:

A TOCTOU (time-of-check time-of-use) race condition was found in the way
libuser performed copying and removal of (user) directory trees. A local
attacker, with permissions to write into particular directory, could use
this flaw to conduct symbolic link attacks, leading to their ability to
alter / remove directories outside of this directory (tree), if this
directory was simultaneously modified (copied or removed) via libuser
functionality (CVE-2012-5630).

An information disclosure flaw was found in the way libuser performed
movement of user's home directory. Previously, during the move the
ownership of all the (sub)entries present in directory tree, to be moved,
were changed from privileged user account to the effective user id of the
user, the home directory should belong to. A local attacker could use this
flaw to conduct hardlink attacks and possibly obtain unauthorized access
to arbitrary system file (CVE-2012-5644).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5630
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5644
https://bugzilla.redhat.com/show_bug.cgi?id=884685
https://bugzilla.redhat.com/show_bug.cgi?id=885724
========================

Updated packages in core/updates_testing:
========================
libuser-0.57.3-1.1.mga2
libuser-python-0.57.3-1.1.mga2
libuser-ldap-0.57.3-1.1.mga2
libuser1-0.57.3-1.1.mga2
libuser-devel-0.57.3-1.1.mga2

from libuser-0.57.3-1.1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 claire robinson 2013-04-06 11:24:54 CEST 
Testing mga2 64 using user management commands from
$ urpmf libuser: | grep bin

Confirming libuser is used by running under strace
# strace -o strace.txt luseradd testuser
# grep user strace.txt

Comparing with results from
$ urpmf libuser:
$ urpmf lib64user1

# strace -o strace.txt lpasswd testuser
New password:
New password (confirm):
Password changed.
# grep user strace.txt

Looking for things like..
open("/usr/lib64/libuser.so.1", O_RDONLY) = 3
open("/etc/libuser.conf", O_RDONLY)     = 3
open("/usr/lib64/libuser/libuser_files.so", O_RDONLY) = 3
open("/usr/lib64/libuser/libuser_shadow.so", O_RDONLY) = 3

Check it's worked..
# grep testuser /etc/passwd
testuser:x:501:501:testuser:/home/testuser:/bin/bash
# grep testuser /etc/group
testuser:x:501:

Check correct ownership in /home
# ll -d /home/testuser
drwx------ 4 testuser testuser 4096 Apr  6 10:05 /home/testuser/

# ll -a /home/testuser
total 36
drwx------ 4 testuser testuser 4096 Apr  6 10:05 ./
drwxr-xr-x 6 root     root     4096 Apr  6 10:05 ../
-rw-r--r-- 1 testuser testuser  387 Jan  9  2012 .bash_completion
-rw-r--r-- 1 testuser testuser   24 Jul 25  2012 .bash_logout
-rw-r--r-- 1 testuser testuser  191 Jul 25  2012 .bash_profile
-rw-r--r-- 1 testuser testuser  124 Jul 25  2012 .bashrc
drwxr-xr-x 4 testuser testuser 4096 May 24  2012 .mozilla/
-rw-r--r-- 1 testuser testuser 3793 Jan  8  2011 .screenrc
drwx------ 2 testuser testuser 4096 Jan 11  2011 tmp/

Remove testuser
# luserdel -r testuser
# ll -a /home/testuser
ls: cannot access /home/testuser: No such file or directory

Whiteboard: (none) => has_procedure mga2-64-ok

Comment 5 claire robinson 2013-04-06 12:06:45 CEST 
Testing complete mga2 32

Validating

Advisory & srpm in comment 3

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2013-04-06 15:19:38 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0110

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 7 David Walser 2013-04-18 21:07:29 CEST 
Fedora has issued an advisory for this:
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102068.html

URL: (none) => http://lwn.net/Vulnerabilities/546514/