Bug 18984 - shadow-utils new security issues in newuidmap and newgidmap commands (CVE-2016-625[12])
Summary: shadow-utils new security issues in newuidmap and newgidmap commands (CVE-201...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/713062/
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks: 618
  Show dependency treegraph
 
Reported: 2016-07-19 15:15 CEST by David Walser
Modified: 2017-01-31 04:51 CET (History)
7 users (show)

See Also:
Source RPM: shadow-utils-4.2.1-8.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-07-19 15:15:46 CEST
Security issues affecting the SUID newuidmap and newgidmap commands have been reported:
http://openwall.com/lists/oss-security/2016/07/19/6

Patches are available in the SuSE bug linked above, but the reporter has asked that upstream review them.

Mageia 5 is also affected.
David Walser 2016-07-19 15:15:57 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-07-20 18:50:07 CEST
Assigning to all packagers collectively, since there is no maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Marja Van Waes 2016-07-20 18:50:24 CEST

CC: (none) => makowski.mageia

Comment 2 David Walser 2016-07-20 19:27:02 CEST
CVE-2016-6251 and CVE-2016-6252 assigned:
http://openwall.com/lists/oss-security/2016/07/20/2

Summary: shadow-utils new security issues in newuidmap and newgidmap commands => shadow-utils new security issues in newuidmap and newgidmap commands (CVE-2016-625[12])

Comment 4 Philippe Makowski 2016-07-26 17:06:47 CEST
Redhat closed CVE-2016-6251 as notabug https://bugzilla.redhat.com/show_bug.cgi?id=1358622
Comment 5 David Walser 2016-07-26 17:19:28 CEST
(In reply to Philippe Makowski from comment #4)
> Redhat closed CVE-2016-6251 as notabug
> https://bugzilla.redhat.com/show_bug.cgi?id=1358622

Yeah, it's not clear yet whether that one's a real issue.  Discussion about it continued yesterday.  We'll see if upstream decides that it's something that needs to be fixed.
Comment 6 Philippe Makowski 2016-08-04 17:11:15 CEST
(In reply to Philippe Makowski from comment #4)
> Redhat closed CVE-2016-6251 as notabug
> https://bugzilla.redhat.com/show_bug.cgi?id=1358622

same upstream https://github.com/shadow-maint/shadow/issues/28
and no news yet for CVE-2016-6252
Comment 7 David Walser 2016-09-10 09:14:37 CEST
4.3.1 fixes the security issue according to Fedora's git commit log:
http://pkgs.fedoraproject.org/cgit/rpms/shadow-utils.git/log/
Comment 8 Philippe Makowski 2016-11-16 19:18:01 CET
RedHat closed CVE-2016-6252 as notabug here https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6252, I think we are in the same position and such suggest to close this issue.
Comment 9 David Walser 2016-11-16 19:22:28 CET
(In reply to Philippe Makowski from comment #8)
> RedHat closed CVE-2016-6252 as notabug here
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6252, I think we are in
> the same position and such suggest to close this issue.

No, you have to be careful with that.  RedHat closes CVE bugs when they don't impact RHEL.  The Fedora tracker bug is still open:
https://bugzilla.redhat.com/show_bug.cgi?id=1358629

and as I previously mentioned, this is fixed in 4.3.1.
Comment 10 Nicolas Lécureuil 2016-11-18 11:46:36 CET
can  we just simply update to 4.3.1 ?

CC: (none) => mageia

Comment 11 David Walser 2016-11-18 12:58:26 CET
Certainly for Cauldron we can.  I don't know if there would be any issues with that on 5.
Comment 12 Philippe Makowski 2016-11-19 16:26:34 CET
David, again :
https://bugzilla.redhat.com/show_bug.cgi?id=1358629 is a tracking bug for :
https://bugzilla.redhat.com/show_bug.cgi?id=1358622 and
https://bugzilla.redhat.com/show_bug.cgi?id=1358625
that are both closed as NOTABUG 

so for me, we don't have to worry for mga5, and for cauldron, yes, we can upgrade to 4.3.1, but that's not mandatory
Comment 13 David Walser 2016-11-19 19:52:49 CET
Philippe, the two CVE bugs you linked which are closed are just the general CVE bugs, which again as I said, RedHat tends to close if RHEL isn't affected.  The Fedora bug is still open because it's valid for them.
Comment 14 Philippe Makowski 2016-11-25 19:38:15 CET
(In reply to Nicolas Lécureuil from comment #10)
> can  we just simply update to 4.3.1 ?

I tried, but without success, some patches need to be reviewed completely, and I didn't manage to build it.

If someone jump, don't forget to change the default umask too https://bugs.mageia.org/show_bug.cgi?id=618
Samuel Verschelde 2017-01-11 09:21:04 CET

Blocks: (none) => 618

Comment 15 Mike Rambo 2017-01-23 22:08:54 CET
Updated package uploaded and freeze push requested for cauldron.

CC: (none) => mrambo

Comment 16 Mike Rambo 2017-01-24 17:44:54 CET
Found a suse patch which claims to address both vulnerabilities and which will apply to mga5.

https://www.suse.com/security/cve/CVE-2016-6251/
https://www.suse.com/security/cve/CVE-2016-6252/
https://bugzilla.suse.com/show_bug.cgi?id=979282

The bug links to the patch.

I also changed the default umask per comment #14 above and the discussion in bug 618.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated shadow-utils package fixes security vulnerabilities:

It was found that shadow-utils-4.2.1 had a potentially unsafe use of getlogin with the concern that the utmp entry might have a spoofed username associated with a correct uid (CVE-2016-6251).
 
It was found that shadow-utils-4.2.1 had an incorrect integer handling problem where it looks like the int wrap is exploitable as a LPE, as the kernel is using 32bit uid's that are truncated from unsigned longs (64bit on x64) as returned by simple_strtoul() [map_write()]. (CVE-2016-6252).


References:
http://openwall.com/lists/oss-security/2016/07/20/2
https://www.suse.com/security/cve/CVE-2016-6251/
https://www.suse.com/security/cve/CVE-2016-6252/
========================

Updated packages in core/updates_testing:
========================
shadow-utils-4.2.1-6.mga5
shadow-utils-debuginfo-4.2.1-6.mga5

from shadow-utils-4.2.1-6.mga5.src.rpm

Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 17 Mike Rambo 2017-01-24 17:48:46 CET
I did not find any previous test procedure but I would suggest that creating a user, setting a password, logging in as that user, and then deleting that user would be a good start for testing this update.

sudo useradd newuser
sudo passwd newuser
<log in and test>
sudo userdel -r newuser
Comment 18 Herman Viaene 2017-01-27 10:14:16 CET
MGA5-32 on AsusA6000VM Xfce
No installation issues
created a new user as above, logged in, checked I could create a document in its tmp folder
exited, deleted user and made sure its home folder is gone. All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Lewis Smith 2017-01-27 11:19:42 CET

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 19 Lewis Smith 2017-01-27 12:13:01 CET
Testing M5_64. Thanks to Mike Comment 17 for guidance.

AFTER update: shadow-utils-4.2.1-6.mga5

 # useradd testuser

 # passwd testuser
 Changing password for user testuser.
 New password: 
 Retype new password: 
 passwd: all authentication tokens updated successfully.
 # ls -a /home/testuser/
 ./   .bash_completion  .bash_logout   .bashrc  .mozilla/  tmp/
 ../  .bash_history     .bash_profile  .gnupg/  .screenrc

[Played a little as testuser in a virtual console]

 # userdel -r testuser
 userdel: user testuser is currently used by process 18680
[18680 ?        Ss     0:00 /usr/lib/systemd/systemd --user]
 # kill 18680
 # userdel -r testuser
 userdel: testuser mail spool (/var/spool/mail/testuser) not found

 # ls /home
 lewis/

Tested OK. Validating; advisory already in place.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 20 Mageia Robot 2017-01-27 21:31:32 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0024.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2017-01-31 04:51:16 CET

URL: (none) => https://lwn.net/Vulnerabilities/713062/


Note You need to log in before you can comment on or make changes to this bug.