Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Advisory:
========================

Updated shadow-utils packages fix security vulnerability:

Privilege escalation in newgidmap, which allowed an unprivileged user to be
placed in a user namespace where setgroups(2) is allowed (CVE-2018-7169).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7169
https://lists.opensuse.org/opensuse-updates/2018-03/msg00036.html
========================

Updated packages in core/updates_testing:
========================
shadow-utils-4.2.1-6.2.mga5
shadow-utils-4.4-1.2.mga6

from SRPMS:
shadow-utils-4.2.1-6.2.mga5.src.rpm
shadow-utils-4.4-1.2.mga6.src.rpm

Assignee: basesystem => qa-bugs
Whiteboard: MGA6TOO => MGA5TOO
Severity: normal => major
Version: Cauldron => 6

Testing M5/64
The package contains these programs to play with, many to be run as root, all with man pages:
- chage - change user password expiry information
- gpasswd - administer /etc/group and /etc/gshadow
- lastlog - reports the most recent login of all users or of a given user
- newgidmap - set the gid mapping of a user namespace [obscure]
- newgrp - log in to a new group
- newuidmap - set the uid mapping of a user namespace [obscure]
- sg - execute command as different group ID

AFTER update to: shadow-utils-4.2.1-6.2.mga5.x86_64

 $ chage -l lewis
Password: 
 then a list of password expiry parameters.

 # chage root
Changing the aging information for root
Enter the new value, or press ENTER for the default
 then each parameter in turn presented, with default value.

User lewis2 is not in wheel:
 # gpasswd -a lewis2 wheel
 Adding user lewis2 to group wheel
confirmed with MCC that this happened.
 # gpasswd -d lewis2 wheel
 Removing user lewis2 from group wheel
confirmed with MCC that this happened.
-----------
But I hit an anomaly here; user lewis2 is shown by MCC & /etc/passwd as being in group lewis GID 1000:
 # grep lewis2 /etc/passwd
 lewis2:x:1002:1000::/home/lewis2:/bin/bash
but that group does *not* include lewis2. Confirmed by:
 # grep ^lewis /etc/group
 lewis:x:1000:            [would be appended]
 # gpasswd -d lewis2 lewis
 Removing user lewis2 from group lewis
 gpasswd: user 'lewis2' is not a member of 'lewis'
---------
 $ lastlog
Username         Port     From             Latest
root             tty2                      Sad Rha 30 14:28:57 +0100 2017
bin                                        **Never logged in**
 etc etc to
lewis2           pts/1    127.0.0.1        Sul Maw 19 10:17:13 +0100 2017
siproxd                                    **Never logged in**
 which looks OK.
 $ lastlog -b 100 | grep -v 'Never logged in'
Username         Port     From             Latest
lewis2           pts/1    127.0.0.1        Sul Maw 19 10:17:13 +0100 2017
$ lastlog -t 100
Username         Port     From             Latest
root             tty2                      Sad Rha 30 14:28:57 +0100 2017
lewis            tty2                      Llu Ion 29 09:50:33 +0100 2018
 all looks OK.

 $ id
uid=1001(lewis) gid=1000(lewis) groups=1000(lewis),10(wheel),969(wireshark)
 $ newgrp wheel
 $ id
uid=1001(lewis) gid=10(wheel) groups=10(wheel),969(wireshark),1000(lewis)
 Looks good, as does the update.

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Testing M6 x64
It seems I was very wrong in comment 2 about the programs provided by this pkg; they are far more numerous (I doubted the shorter list I got from:
 $ urpmq -l shadow-utils | grep bin | sort -u
), including those listed above plus at least:
The pwconv command converts passwords to the shadow password format.
The pwunconv command unconverts shadow passwords and generates an npasswd file
The pwck command checks the integrity of password and shadow files.
The useradd, userdel and usermod commands are used for managing user accounts.  The groupadd, groupdel and groupmod commands are used for managing group accounts.
+  several more.

I can do more on the M5 front, but for now, M6 AFTER the update:
 shadow-utils-4.4-1.2.mga6

"By default, pwck operates on the files /etc/passwd and /etc/shadow" (both of which exist), but are not mentioned by:
 # pwck
user 'adm': directory '/var/adm' does not exist
user 'news': directory '/var/spool/news' does not exist
user 'uucp': directory '/var/spool/uucp' does not exist
user 'avahi-autoipd': directory '/var/lib/avahi-autoipd' does not exist
user 'dirsrv': directory '/var/lib/dirsrv' does not exist
user 'powerdns': directory '/var/lib/powerdns' does not exist
pwck: no changes
 Oh well.

 # useradd -g lewis -G wheel -m lewis2      [no p/w]
 # tail -1 /etc/passwd
 lewis2:x:1002:1001::/home/lewis2:/bin/bash
 # grep lewis /etc/group
 wheel:x:10:lewis,lewis2       [correct]
 lewis:x:1001:                 [but why not here? See c2]
 # grep lewis2 /etc/shadow
 lewis2:!:17608:0:99999:7:::
 # ls -l  /home/lewis2
 drwx------ 2 lewis2 lewis 4096 Chw  19  2016 tmp/

All this looks OK (group lewis enigma apart). Nor could I log into lewis2 without any password. Oh dear, trying:
 # usermod -p <password> lewis2
I was unable to log in (from a virtual console) at all to lewis2 with any password thus defined.

 # usermod -G wireshark lewis2
 # grep lewis /etc/group
 wheel:x:10:lewis
 wireshark:x:954:lewis,lewis2
is correct: removed from group wheel, added to group wireshark.
 # usermod -a -G wheel lewis2
 # grep lewis2 /etc/group
 wheel:x:10:lewis,lewis2
 wireshark:x:954:lewis,lewis2
is also correct, retaining lewis2 in group wireshark & adding him to group wheel.

 # userdel -r lewis2
 userdel: lewis2 mail spool (/var/spool/mail/lewis2) not found   [OK here]
Removed lewis2 from /etc/passwd | shadow | group (those groups to which he belonged - above). Also removed /home/lewis2. All OK.

 # groupadd lewis2
 # grep lewis2 /etc/group
 lewis2:x:1002:
OK.
 # groupmod -n newname -g 1010 lewis2
 # grep lewis2 /etc/group
 # grep newname /etc/group
 newname:x:1010:
Correctly changed group name & GID.
 # usermod -a -G newname lewis
 # grep lewis /etc/group
 lewis:x:1001:
 newname:x:1010:lewis
added lewis to group newname.
 # groupdel newname
removes the group, & lewis' association with it.

 # lastlog -b 100 | grep -v 'Never logged in'
 Username         Port     From             Latest
correct: no old logins. Now need to be root for this.
  # lastlog -t 10
 Username         Port     From             Latest
 root             tty2                      Sul Maw 18 20:54:12 +0100 2018
 lewis            tty2                      Sul Maw 18 20:54:01 +0100 2018
Shows only recent logins. Correct.

 $ chage -l lewis
Similar to M5 result c2. OK
 # chage root
Similar to M5 result c2. OK

I cannot believe that the problem of passwords for new user (with or without a password given, I could never log in or su to it) relates to this update. For safety, I am witholding OKs.
I will downgrade the pkg. If that behaviour was there before, I will put both OKs up & validate.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO

M5 & M6 x64

BEFORE both updates:
I reverted to:
 shadow-utils-4.2.1-6.1.mga5
 shadow-utils-4.4-1.1.mga6
and tried all sorts of ways of using the -p password parameter with both useradd (none, specified) and usermod (change), and could never login nor su to the user. I tried from both terminal window and virtual console. Always, I admit, without re-booting; but that should not be necessary.
In all cases, the newly introduced user *was* present in /etc/passwd, /etc/shadow and /etc/group.
This is curious, because I am sure I have used useradd etc successfully in the past, i.e. being able to login to the new user.

Since the post-update behaviour is the same, I am OKing & validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0177.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED