A security issue in sos was made public today (May 27): http://openwall.com/lists/oss-security/2014/05/27/1 The RedHat bug says that it's similar to CVE-2012-2664 (Bug 6525) which we deemed INVALID for us as it depended on Anaconda, but I don't know if that's the case for this one. I don't see a fix available for this one yet. In Cauldron, this could also be updated to 3.1. Reproducible: Steps to Reproduce:
CC: (none) => doktor5000, remcoWhiteboard: (none) => MGA4TOO, MGA3TOO
A CVE has been requested for yet another sos issue: http://openwall.com/lists/oss-security/2014/05/29/6
(In reply to David Walser from comment #1) > A CVE has been requested for yet another sos issue: > http://openwall.com/lists/oss-security/2014/05/29/6 CVE-2014-3925 was allocated: http://openwall.com/lists/oss-security/2014/05/30/3 The scope of the CVE was limited to RHEL5, because of it not providing a warning to the user about sensitive information. I'm not sure if our version of sos includes this warning or not. If so, this new CVE can be considered invalid.
Summary: sos new security issue CVE-2014-0246 => sos new security issue CVE-2014-0246 and CVE-2014-3925
Fedora has issued an advisory for CVE-2014-0246 on June 18: https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134751.html
URL: (none) => http://lwn.net/Vulnerabilities/603751/
(In reply to David Walser from comment #0) > A security issue in sos was made public today (May 27): > http://openwall.com/lists/oss-security/2014/05/27/1 From the Red Hat bug available at https://bugzilla.redhat.com/show_bug.cgi?id=1101393 this is no considered as a security issue, which makes sense as sos is collecting lots of files, some of them may contain sensitive info anyway that you may want to purge before sending.
Status: NEW => ASSIGNED
It seems 3.1 (which I uploaded to cauldron) doesn't provide the fix either. We'll have to wait for 3.2 to have automatic removal of passwd. Howeve, I ahree with the comments in Fedore/RH that's it's not really per se a security issue more than what the original file already contains. Let me know if you want me to also retrofit 3.1 to mga4.
There appears to be some disagreement on whether it's a security bug. This one at least does affect us, unlike CVE-2012-2664. It's true that 3.1 doesn't fix the issue, but in Fedora's update to 3.1 for Fedora 20, they added some additional patches which do fix the issue: http://pkgs.fedoraproject.org/cgit/sos.git/commit/?h=f20&id=0b3105c4a35ad49f673bd68d875acdf956d7409a It sounds to me like we should update this, but it's a low enough severity issue that it's not urgent at all. I'll leave it up to you as to when you want to do an update.
Should there be some branding patch like CentOS has if we're going to have this packaged, since it's for RedHat support? See here: https://git.centos.org/log/rpms!sos.git/refs!heads!c7
(In reply to David Walser from comment #7) > Should there be some branding patch like CentOS has if we're going to have > this packaged, since it's for RedHat support? See here: > https://git.centos.org/log/rpms!sos.git/refs!heads!c7 Perhaps that would be true of yum as well: https://git.centos.org/log/rpms!yum.git/refs!heads!c7
Ping..
CC: (none) => mageia
Blocks: (none) => 14674
It seems all the patches in sos-3.1-1.fc19.src.rpm was merged in sos-3.2-0.1.a.fc21.src.rpm which is a "new upstream pre-release sos-3.2-alpha1".
CC: (none) => oe
Indeed, so this doesn't need a million patches, you could update to the alpha as Oden said: http://pkgs.fedoraproject.org/cgit/sos.git/commit/?id=88f20830bded7435977c283fcc93ef7aa4d029bd Also, please don't forget about the branding patch mentioned in Comment 7.
version 3.2 is now pushed into cauldron. WHat do you want me to do for 3 & 4 ? I can backport it for these version. The link you gace in comment https://bugs.mageia.org/show_bug.cgi?id=13441#c11 has no relationship with the initial bug report which was grub passwd. The branding is not a question as it was already done since quite a long time.
(In reply to Bruno Cornec from comment #12) > version 3.2 is now pushed into cauldron. Not yet it isn't, and I don't see a freeze push request for it. > WHat do you want me to do for 3 & 4 > ? I can backport it for these version. Doing the same thing as is done in Cauldron is probably the only thing that makes sense. Mageia 3 is EOL now, so I've removed that from the whiteboard. > The link you gace in comment > https://bugs.mageia.org/show_bug.cgi?id=13441#c11 has no relationship with > the initial bug report which was grub passwd. It is completely related to the initial bug report. The link in Comment 11 was to Fedora's update to the 3.2 alpha, in which the CVEs from the original bug report are fixed. > The branding is not a question as it was already done since quite a long > time. It is a question, and it hasn't been fixed in our package.
Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO
(In reply to David Walser from comment #13) > (In reply to Bruno Cornec from comment #12) > > version 3.2 is now pushed into cauldron. > > Not yet it isn't, and I don't see a freeze push request for it. Ahh, I see it now, you posted it as a reply to another thread. You should post it as a new thread, otherwise it might be missed. As to whether to update this for Mageia 4, being as minor an issue as it is, it probably isn't strictly necessary (but it shouldn't hurt anything to do it). I'll leave that up to you.
Fixed in Cauldron in sos-3.2-1.mga5. Thanks Bruno.
Version: Cauldron => 4Blocks: 14674 => (none)Whiteboard: MGA4TOO => (none)
Pushed into update_testing for MGA4 as well. Advisory updated.
Assignee: bruno => qa-bugs
(In reply to David Walser from comment #13) > (In reply to Bruno Cornec from comment #12) > > The link you gave in comment > > https://bugs.mageia.org/show_bug.cgi?id=13441#c11 has no relationship with > > the initial bug report which was grub passwd. > > It is completely related to the initial bug report. The link in Comment 11 > was to Fedora's update to the 3.2 alpha, in which the CVEs from the original > bug report are fixed. Humm I don't find any reference to CVE in it, nor any code fixing the grub password problem initaly reported. > > The branding is not a question as it was already done since quite a long > > time. > > It is a question, and it hasn't been fixed in our package. Please could you show me why my patches for rebranding are not what you want here ? ------------------------------------------------------------------------ r672164 | bcornec | 2014-09-04 23:04:07 +0200 (jeu. 04 sept. 2014) | 2 lignes Chemins modifiés : A /cauldron/sos/current/SOURCES/sos-mageia-branding.patch M /cauldron/sos/current/SPECS/sos.spec - sos is now more Mageia branded, based on a CentOS patch - Cf: https://bugs.mageia.org/show_bug.cgi?id=13441 ------------------------------------------------------------------------ FYI I remade them for this 3.2 version and checked they were used correctly.
CC: (none) => bruno
Thanks Bruno! (In reply to Bruno Cornec from comment #17) > Humm I don't find any reference to CVE in it, nor any code fixing the grub > password problem initaly reported. The Fedora commits don't list the CVEs, that's true. The CVEs may not have been allocated yet when Fedora committed the fixes. They fixed the issues in their 3.1 update, because they included 60 additional patches. They removed those patches when updating to the 3.2 alpha, because they're included upstream. > Please could you show me why my patches for rebranding are not what you want > here ? > ------------------------------------------------------------------------ > r672164 | bcornec | 2014-09-04 23:04:07 +0200 (jeu. 04 sept. 2014) | 2 lignes > Chemins modifiés : > A /cauldron/sos/current/SOURCES/sos-mageia-branding.patch > M /cauldron/sos/current/SPECS/sos.spec > > - sos is now more Mageia branded, based on a CentOS patch - Cf: > https://bugs.mageia.org/show_bug.cgi?id=13441 > ------------------------------------------------------------------------ > > FYI I remade them for this 3.2 version and checked they were used correctly. Cool. svnweb didn't show a branding patch until February 23rd, which is after I posted that comment. Looks like all is well now. Thanks again.
This is the advisory that Bruno added to SVN (I added the Fedora reference from Comment 3): type: bugfix subject: Updated sos package fixes CVE-2014-0246 and CVE-2014-3925 src: 4: core: - sos-3.2-1.mga4 description: | Update to upstream 3.2 in order to fix some minor security issues on password inclusion in log files reported as CVE-2014-0246 and CVE-2014-3925 references: - https://bugs.mageia.org/show_bug.cgi?id=13441 - https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134751.html
Whiteboard: (none) => advisory
Testing on Mageia4x64 real hardware From current package : -------------------- sos-2.2-3.mga3.noarch # sosreport -l sosreport (version 2.1) Les plugins suivants sont activés : acpid acpid related information apache Apache related information auditd Auditd related information bootloader Bootloader information crontab Crontab information devicemapper device-mapper related information (dm, lvm, multipath) dovecot dovecot server related information (...) # sosreport -v sosreport (version 2.1) This utility will collect some detailed information about the hardware and setup of your Red Hat Enterprise Linux system. The information is collected and an archive is packaged under /tmp, which you can send to a support representative. Red Hat Enterprise Linux will use this information for diagnostic purposes ONLY and it will be considered confidential information. This process may take a while to complete. No changes will be made to your system. Appuyez sur Entrée pour continuer ou CTRL-C pour quitter. Veuillez saisir votre premier prénom (si vous en avez plusieurs) et votre nom [localhost] :olivier localhost Veuillez saisir le numéro de cas pour lequel vous générez ce rapport :1000 Lancement des extensions. Veuillez patienter... Completed [42/42] ... Création d'une archive compressée... Votre rapport sos a été généré et enregistré dans : /tmp/sosreport-olivierlocalhost.1000-20150301221056-57fb.tar.xz Le md5sum est :df442c2a1a3b5f1c43c8cc7a14a057fb Veuillez envoyer ce fichier à votre représentant de support. Could find sosreport file in tmp. To updated testing package : -------------------------- sos-3.2-1.mga4.noarch # sosreport -l Traceback (most recent call last): File "/usr/sbin/sosreport", line 20, in <module> from sos.sosreport import main File "/usr/lib/python2.7/site-packages/sos/sosreport.py", line 30, in <module> from sos.plugins import import_plugin File "/usr/lib/python2.7/site-packages/sos/plugins/__init__.py", line 21, in <module> from sos.utilities import (sos_get_command_output, import_module, grep, File "/usr/lib/python2.7/site-packages/sos/utilities.py", line 31, in <module> import six ImportError: No module named six # sosreport produces the same error. Updated testing package does not work for me.
CC: (none) => olchal
Install python-six. It should be added as a Requires. We can't add it to the update candidate unless we can get it added in Cauldron first, otherwise it'll cause upgrade problems.
Thanks David Following comment 21, installed : - python-six-1.4.1-3.mga4.noarch # sosreport -l All OK # sosreport -v All OK (even more verbose, and now puts the report in /var/tmp) As I did not give grub a password, I cannot tell if the sos logs don't give it away anymore. All I can say is updated testing sos-3.2-1.mga4.noarch runs well as long as python-six is installed.
Adding feedback marker for the missing require.
Whiteboard: advisory => advisory feedback
Freeze push requested, added in Mageia 4 SVN. I'll push it to the build system once it's pushed in Cauldron.
Fixed Requires pushed in Mageia 4 and Cauldron. sos-3.2-1.1.mga4 is the Mageia 4 update now.
Whiteboard: advisory feedback => advisory
Testing on Mageia 4x32 real hardware, using same procedure as in comment 20 From current package : ------------------- sos-2.2-3.mga3.noarch # sosreport -l and # sosreport -v gave expected results. To latest updated testing package : --------------------------------- sos-3.2-1.1.mga4.noarch which brought along : python-six-1.4.1-3.mga4.noarch # sosreport -l # sosreport -v OK (report wrote in /var/tmp) OK on Mageia 4x32
Whiteboard: advisory => advisory MGA4-32-OK
Testing complete mga4 64
Whiteboard: advisory MGA4-32-OK => advisory MGA4-32-OK mga4-64-ok
Advisory updated with new srpm from comment 25 Validating. Please push to 4 updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGAA-2015-0023.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED