Bug 15644 - .rpmnew files generated in setup upgrades might make Mageia 4 users or upgraders lose their passwords and fstab
Summary: .rpmnew files generated in setup upgrades might make Mageia 4 users or upgrad...
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: High critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: has_procedure advisory MGA4-64-OK MGA...
Keywords: validated_update
: 14516 (view as bug list)
Depends on:
Blocks: 14516
  Show dependency treegraph
Reported: 2015-04-07 16:52 CEST by Rémi Verschelde
Modified: 2015-04-23 23:15 CEST (History)
5 users (show)

See Also:
Source RPM: setup
Status comment:


Description Rémi Verschelde 2015-04-07 16:52:18 CEST
As discussed at length in the dev [1] and QA [2] mailing lists, the setup update pushed to both Mageia 4 (MGASA-2015-0116 [3], mga#14516 [4], setup-2.7.20-9.1.mga4) and Cauldron (setup-2.7.21-4.mga5) could lead to unwary users emptying the contents of critical config files such as /etc/fstab and /etc/shadow.

The reason is that when updating via rpmdrake without restarting it after its priority upgrade (MGAA-2015-0028 [5], mga#14266 [6]), users would be notified of the creation of .rpmnew files for /etc/shadow (and potentially /etc/fstab and /etc/resolv.conf), and rpmdrake gives them the possibility to replace their current files by the basically empty .rpmnew files, leading to the loss of passwords and/or of the filesystem table.

[1] https://ml.mageia.org/l/arc/dev/2015-04/msg00048.html
[2] https://ml.mageia.org/l/arc/qa-discuss/2015-03/msg00399.html
[3] http://advisories.mageia.org/MGASA-2015-0116.html
[4] https://bugs.mageia.org/show_bug.cgi?id=14516
[5] http://advisories.mageia.org/MGAA-2015-0028.html
[6] https://bugs.mageia.org/show_bug.cgi?id=14266


Steps to Reproduce:
Rémi Verschelde 2015-04-07 16:52:41 CEST

Blocks: (none) => 14516

Rémi Verschelde 2015-04-07 16:53:55 CEST

QA Contact: (none) => qa-bugs

Rémi Verschelde 2015-04-07 16:54:04 CEST

Priority: Normal => High

Rémi Verschelde 2015-04-07 16:54:11 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 Thierry Vignaud 2015-04-08 08:55:23 CEST
No need for two BR

*** This bug has been marked as a duplicate of bug 14516 ***

CC: (none) => thierry.vignaud
Resolution: (none) => DUPLICATE

Comment 2 claire robinson 2015-04-17 16:39:13 CEST
Re-opening as per QA meeting. Advisory updated for bug 14516.

Current packages:

 - setup-2.7.20-9.4.mga4


Version: Cauldron => 4
Resolution: DUPLICATE => (none)
Whiteboard: MGA4TOO => (none)

claire robinson 2015-04-17 16:41:41 CEST

Assignee: rverschelde => qa-bugs
QA Contact: qa-bugs => security

Comment 3 claire robinson 2015-04-17 16:43:04 CEST

Updated setup package fixes security issue

  An issue has been identified in Mageia 4's setup package where the
  /etc/shadow and /etc/gshadow files containing password hashes were created
  with incorrect permissions, making them world-readable (mga#14516).

  This update fixes this issue by enforcing that those files are owned by
  the root user and shadow group, and are only readable by those two entities.

  Note that this issue only affected new Mageia 4 installations. Systems that
  were updated from previous Mageia versions were not affected.

  This update was already issued as MGASA-2015-0116, but the latter was withdrawn
  as it generated .rpmnew files for critical configuration files, and rpmdrake
  might propose the user to use those basically empty files, thus leading to
  loss of passwords or partition table. This new update ensures that such .rpmnew
  files are not kept after the update.

 - https://bugs.mageia.org/show_bug.cgi?id=14516
 - http://advisories.mageia.org/MGASA-2015-0116.html
 - https://ml.mageia.org/l/arc/qa-discuss/2015-03/msg00399.html
claire robinson 2015-04-17 16:45:10 CEST

Component: RPM Packages => Security

Comment 4 David Walser 2015-04-17 16:53:08 CEST
*** Bug 14516 has been marked as a duplicate of this bug. ***

CC: (none) => thkala

Comment 5 David Walser 2015-04-18 17:38:36 CEST
*** Bug 14516 has been marked as a duplicate of this bug. ***
Comment 6 Rémi Verschelde 2015-04-19 17:12:08 CEST
Testing procedure... https://bugs.mageia.org/show_bug.cgi?id=14516#c73

OK'ing for Mageia 4 x86_64 as per https://bugs.mageia.org/show_bug.cgi?id=14516#c78

Whiteboard: (none) => has_procedure MGA4-64-OK

Comment 7 James Kerr 2015-04-20 17:42:29 CEST
urpmi --downgrade setup
The following package has to be removed for others to be upgraded:
 (in order to install setup-2.7.20-9.mga4.noarch) (y/N) y

I then had to manually change the ownership and permissions of the files in question so that:

ls -ll /etc/*shadow*
-rw-r--r-- 1 root root 511 Dec  9 21:35 /etc/gshadow
-rw-r--r-- 1 root root 504 Dec  9 21:35 /etc/gshadow-
-rw-r--r-- 1 root root 717 Dec  9 21:35 /etc/shadow
-rw-r--r-- 1 root root 695 Dec  9 21:28 /etc/shadow-

urpmi --media "Core Updates Testing" setup

Which resulted in 
ls -ll /etc/*shadow*
-r--r----- 1 root shadow 511 Dec  9 21:35 /etc/gshadow
-r--r----- 1 root shadow 504 Dec  9 21:35 /etc/gshadow-
-r--r----- 1 root shadow 717 Dec  9 21:35 /etc/shadow
-r--r----- 1 root shadow 695 Dec  9 21:28 /etc/shadow-

This looks to be what is required.

OK for mga4 32
James Kerr 2015-04-20 17:43:57 CEST

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 8 Samuel Verschelde 2015-04-20 17:50:33 CEST
Have you tested the fact that an old rpmdrake (not the latest from updates) must not mention .rpmnew files at all for this update?

CC: (none) => stormi

Comment 9 James Kerr 2015-04-20 17:57:21 CEST
No. I've removed the OK and will retest.

Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure MGA4-64-OK

Comment 10 James Kerr 2015-04-20 18:53:08 CEST
I downgraded setup and rpmdrake and reverted the ownership and permissions of the shadow and gshadow files.

I had to disable core/updates to prevent rpmdrake from updating itself.

I then used (the "old") rpmdrake-6.10.3-1 to update setup. 

There was no "upgrade" information offered and the ownership and permissions of shadow and gshadow  were correctly changed.

Is that what was required?
Comment 11 Samuel Verschelde 2015-04-20 19:28:01 CEST
Yes, thanks!

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Meg Skywalker 2015-04-21 14:15:46 CEST

CC: (none) => identity.mageia.org

Comment 12 claire robinson 2015-04-22 17:30:51 CEST
Validating. Advisory uploaded.

Please push to 4 updates


Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2015-04-23 23:15:03 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.