Security issues affecting the SUID newuidmap and newgidmap commands have been reported: http://openwall.com/lists/oss-security/2016/07/19/6 Patches are available in the SuSE bug linked above, but the reporter has asked that upstream review them. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
CC: (none) => makowski.mageia
CVE-2016-6251 and CVE-2016-6252 assigned: http://openwall.com/lists/oss-security/2016/07/20/2
Summary: shadow-utils new security issues in newuidmap and newgidmap commands => shadow-utils new security issues in newuidmap and newgidmap commands (CVE-2016-625[12])
upstream bugs : https://github.com/shadow-maint/shadow/issues/28 https://github.com/shadow-maint/shadow/issues/27 There is also a discussion on oss-security and pkg-shadow-devel: http://seclists.org/oss-sec/2016/q3/120 https://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2016-July/011017.html
Redhat closed CVE-2016-6251 as notabug https://bugzilla.redhat.com/show_bug.cgi?id=1358622
(In reply to Philippe Makowski from comment #4) > Redhat closed CVE-2016-6251 as notabug > https://bugzilla.redhat.com/show_bug.cgi?id=1358622 Yeah, it's not clear yet whether that one's a real issue. Discussion about it continued yesterday. We'll see if upstream decides that it's something that needs to be fixed.
(In reply to Philippe Makowski from comment #4) > Redhat closed CVE-2016-6251 as notabug > https://bugzilla.redhat.com/show_bug.cgi?id=1358622 same upstream https://github.com/shadow-maint/shadow/issues/28 and no news yet for CVE-2016-6252
4.3.1 fixes the security issue according to Fedora's git commit log: http://pkgs.fedoraproject.org/cgit/rpms/shadow-utils.git/log/
RedHat closed CVE-2016-6252 as notabug here https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6252, I think we are in the same position and such suggest to close this issue.
(In reply to Philippe Makowski from comment #8) > RedHat closed CVE-2016-6252 as notabug here > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6252, I think we are in > the same position and such suggest to close this issue. No, you have to be careful with that. RedHat closes CVE bugs when they don't impact RHEL. The Fedora tracker bug is still open: https://bugzilla.redhat.com/show_bug.cgi?id=1358629 and as I previously mentioned, this is fixed in 4.3.1.
can we just simply update to 4.3.1 ?
CC: (none) => mageia
Certainly for Cauldron we can. I don't know if there would be any issues with that on 5.
David, again : https://bugzilla.redhat.com/show_bug.cgi?id=1358629 is a tracking bug for : https://bugzilla.redhat.com/show_bug.cgi?id=1358622 and https://bugzilla.redhat.com/show_bug.cgi?id=1358625 that are both closed as NOTABUG so for me, we don't have to worry for mga5, and for cauldron, yes, we can upgrade to 4.3.1, but that's not mandatory
Philippe, the two CVE bugs you linked which are closed are just the general CVE bugs, which again as I said, RedHat tends to close if RHEL isn't affected. The Fedora bug is still open because it's valid for them.
(In reply to Nicolas Lécureuil from comment #10) > can we just simply update to 4.3.1 ? I tried, but without success, some patches need to be reviewed completely, and I didn't manage to build it. If someone jump, don't forget to change the default umask too https://bugs.mageia.org/show_bug.cgi?id=618
Blocks: (none) => 618
Updated package uploaded and freeze push requested for cauldron.
CC: (none) => mrambo
Found a suse patch which claims to address both vulnerabilities and which will apply to mga5. https://www.suse.com/security/cve/CVE-2016-6251/ https://www.suse.com/security/cve/CVE-2016-6252/ https://bugzilla.suse.com/show_bug.cgi?id=979282 The bug links to the patch. I also changed the default umask per comment #14 above and the discussion in bug 618. Patched package uploaded for Mageia 5. Advisory: ======================== Updated shadow-utils package fixes security vulnerabilities: It was found that shadow-utils-4.2.1 had a potentially unsafe use of getlogin with the concern that the utmp entry might have a spoofed username associated with a correct uid (CVE-2016-6251). It was found that shadow-utils-4.2.1 had an incorrect integer handling problem where it looks like the int wrap is exploitable as a LPE, as the kernel is using 32bit uid's that are truncated from unsigned longs (64bit on x64) as returned by simple_strtoul() [map_write()]. (CVE-2016-6252). References: http://openwall.com/lists/oss-security/2016/07/20/2 https://www.suse.com/security/cve/CVE-2016-6251/ https://www.suse.com/security/cve/CVE-2016-6252/ ======================== Updated packages in core/updates_testing: ======================== shadow-utils-4.2.1-6.mga5 shadow-utils-debuginfo-4.2.1-6.mga5 from shadow-utils-4.2.1-6.mga5.src.rpm
Version: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
I did not find any previous test procedure but I would suggest that creating a user, setting a password, logging in as that user, and then deleting that user would be a good start for testing this update. sudo useradd newuser sudo passwd newuser <log in and test> sudo userdel -r newuser
MGA5-32 on AsusA6000VM Xfce No installation issues created a new user as above, logged in, checked I could create a document in its tmp folder exited, deleted user and made sure its home folder is gone. All OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
CC: (none) => lewyssmithWhiteboard: MGA5-32-OK => MGA5-32-OK advisory
Testing M5_64. Thanks to Mike Comment 17 for guidance. AFTER update: shadow-utils-4.2.1-6.mga5 # useradd testuser # passwd testuser Changing password for user testuser. New password: Retype new password: passwd: all authentication tokens updated successfully. # ls -a /home/testuser/ ./ .bash_completion .bash_logout .bashrc .mozilla/ tmp/ ../ .bash_history .bash_profile .gnupg/ .screenrc [Played a little as testuser in a virtual console] # userdel -r testuser userdel: user testuser is currently used by process 18680 [18680 ? Ss 0:00 /usr/lib/systemd/systemd --user] # kill 18680 # userdel -r testuser userdel: testuser mail spool (/var/spool/mail/testuser) not found # ls /home lewis/ Tested OK. Validating; advisory already in place.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0024.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => https://lwn.net/Vulnerabilities/713062/