Bug 32285 - shadow new security issue CVE-2023-4641
Summary: shadow new security issue CVE-2023-4641
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-13 14:19 CEST by Nicolas Salguero
Modified: 2023-09-26 10:11 CEST (History)
2 users (show)

See Also:
Source RPM: shadow-utils-4.13-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-09-13 14:19:46 CEST 
SUSE has issued an advisory today (September 13):
https://www.suse.com/support/update/announcement/2023/suse-su-20233591-1/
Nicolas Salguero 2023-09-13 14:21:35 CEST

Whiteboard: (none) => MGA9TOO, MGA8TOO
Source RPM: (none) => shadow-utils-4.13-1.mga9.src.rpm
CC: (none) => nicolas.salguero

Comment 1 Lewis Smith 2023-09-13 20:26:01 CEST 
The advisory-bugzilla entry shows shadow-4.8.1 as the fix... which we have had since Aug 2021.

Assigning globally as no packager in view for this SRPM.

Status comment: (none) => ? Fix v4.8.1
Assignee: bugsquad => pkg-bugs

Nicolas Salguero 2023-09-14 14:31:29 CEST

Status comment: ? Fix v4.8.1 => Fix in version 4.14.0-rc1

Comment 2 Nicolas Salguero 2023-09-14 15:13:16 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Potential password leak. (CVE-2023-4641)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4641
https://www.suse.com/support/update/announcement/2023/suse-su-20233591-1/
========================

Updated packages in 9/core/updates_testing:
========================
lib64subid4-4.13-1.1.mga9
lib64subid-devel-4.13-1.1.mga9
shadow-utils-4.13-1.1.mga9

from SRPM:
shadow-utils-4.13-1.1.mga9.src.rpm

Updated package in 8/core/updates_testing:
========================
shadow-utils-4.6-4.2.mga8

from SRPM:
shadow-utils-4.6-4.2.mga8.src.rpm

Assignee: pkg-bugs => nicolas.salguero
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Status comment: Fix in version 4.14.0-rc1 => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED

Nicolas Salguero 2023-09-18 09:25:21 CEST

Assignee: nicolas.salguero => qa-bugs

Comment 3 Herman Viaene 2023-09-23 14:49:13 CEST 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
Ref bug 31198 Comment 8
# useradd prutser
# getent passwd {1000..60000}
tester8:x:1000:1000:Tester8:/home/tester8:/bin/bash
prutser:x:1001:1001::/home/prutser:/bin/bash
[root@mach7 ~]# usermod -p pruts prutser
Now as normal user in second terminal tab
$ su -l prutser
Password: 
su: Authentication failure
repeated to exclude finger trouble, no avail
Used MCC to handle users, prutser is there, changed password to pruts there and then  the su command works
$ su -l prutser
Password: 
[prutser@mach7 ~]$ pwd
/home/prutser
Continuing test
# userdel prutser
userdel: user prutser is currently used by process 9350
That's right, prutser is still logged in in the other terminal tab
Giving the exit command there and then
# userdel prutser
no feedback, that's OK
Checked in MCC, prutser is gone
# getent passwd {1000..60000}
tester8:x:1000:1000:Tester8:/home/tester8:/bin/bash
Can someone explain why I couldn't login after the usermod command???

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2023-09-26 10:11:59 CEST 
MGA9-64 Xfce on Acer Aspire 5253
No installation issues.
Exactly the same commands and results as in Comment 3 above.
If someone could explain why the uermod command does not give the result I expected, I will give the OK, but for now I don''t trust this behavior.
Note You need to log in before you can comment on or make changes to this bug.