RedHat has issued an advisory today (July 23): https://rhn.redhat.com/errata/RHSA-2015-1483.html More details are here: https://securityblog.redhat.com/2015/07/23/libuser-vulnerabilities/ https://access.redhat.com/articles/1537873 http://openwall.com/lists/oss-security/2015/07/23/16 The last link has an exploit for this. Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated libuser packages fix security vulnerabilities: Two flaws were found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root (CVE-2015-3245, CVE-2015-3246). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3245 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3246 https://securityblog.redhat.com/2015/07/23/libuser-vulnerabilities/ https://access.redhat.com/articles/1537873 http://openwall.com/lists/oss-security/2015/07/23/16 https://rhn.redhat.com/errata/RHSA-2015-1483.html ======================== Updated packages in core/updates_testing: ======================== libuser-0.60-2.1.mga4 libuser-python-0.60-2.1.mga4 libuser-ldap-0.60-2.1.mga4 libuser1-0.60-2.1.mga4 libuser-devel-0.60-2.1.mga4 libuser-0.60-5.1.mga5 libuser-python-0.60-5.1.mga5 libuser-ldap-0.60-5.1.mga5 libuser1-0.60-5.1.mga5 libuser-devel-0.60-5.1.mga5 from SRPMS: libuser-0.60-2.1.mga4.src.rpm libuser-0.60-5.1.mga5.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Advisory committed to svn. Testing shortly.
CC: (none) => davidwhodginsWhiteboard: MGA4TOO => MGA4TOO advisory
URL: (none) => http://lwn.net/Vulnerabilities/652362/
Sorry for the delay, had a power outage here, and fell asleep. Testing complete. Validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0278.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Bug in just pushed libuser can't edit user groups from mcc or manatools. invalid content of lock /etc/shadow.lock I reopen this bug as we need to get where that bug is.
Status: RESOLVED => REOPENEDCC: (none) => ozkysterResolution: FIXED => (none)
Please open a new bug if there's a regression.
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
(In reply to Otto Leipälä from comment #4) > Bug in just pushed libuser can't edit user groups from mcc or manatools. > invalid content of lock /etc/shadow.lock > I reopen this bug as we need to get where that bug is. It might require a reboot. As I did reboot between installing the update and testing, I'm not sure if it's needed or not. My /etc/shadow.lock file is empty ... # ll /etc/shadow.lock -rw------- 1 root root 0 May 21 2013 /etc/shadow.lock
No i rebooted many times so there is real bug so don't close this yet.
I can reproduce this error in mcc, which is gone by downgrading to previous version. However as suggest by David in Comment #5, we should open a new bug for it.
CC: (none) => marc.lattemann
https://bugs.mageia.org/show_bug.cgi?id=16467
Don't need to create duplicate bug report please we can use same bug report to update and fix problem found from pushed update,as this releated to this exact package.
(In reply to Otto Leipälä from comment #10) > Don't need to create duplicate bug report please we can use same bug report > to update and fix problem found from pushed update,as this releated to this > exact package. No, creating a new bug report is exactly what had to be done according to our policy. Once an update is pushed, its bug report is closed: the security issue has been fixed. If there are regressions, they need to be reported in another bug report to be fixed in another update.
Yes you are right let this bug burried to six feet under and use that new one.
This fix make Userdrake unstable - it can't normally create or delete the user.
CC: (none) => peter.semiletov
(In reply to Peter Semiletov from comment #13) > This fix make Userdrake unstable - it can't normally create or delete the > user. Fix in progress, see bug 16467.