3995 – libuser missing security update for CVE-2011-0002

Bug 3995 - libuser missing security update for CVE-2011-0002

Summary: libuser missing security update for CVE-2011-0002

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	1
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2012-01-01 20:18 CET by David Walser
Modified:	2012-01-09 15:24 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	libuser-0.56.18-4.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-01-01 20:18:31 CET

Mandriva issued this advisory on January 26:
http://lists.mandriva.com/security-announce/2011-01/msg00022.php

Comment 1 Manuel Hiebel 2012-01-01 20:48:53 CET

Hi, thanks for reporting this bug.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
CC: (none) => cazzaniga.sandro, mageia, thierry.vignaud

Comment 2 D Morgan 2012-01-03 02:10:49 CET

fixed in svn.

Please test rpms in updates_testing

CC: (none) => dmorganec
Assignee: bugsquad => qa-bugs

Comment 3 claire robinson 2012-01-03 12:10:34 CET

$ urpmq --whatrequires libuser
libuser
libuser1
passwd
userdrake


Testing x86_64

The following 2 packages are going to be installed:

- lib64user1-0.56.18-4.1.mga1.x86_64
- libuser-0.56.18-4.1.mga1.x86_64

Created a new user with userdrake

# cat /etc/passwd | grep testuser
testuser:x:501:501:Test User:/home/testuser:/bin/bash

# cat /etc/group | grep testuser
testuser:x:501:

# cat /etc/shadow | grep testuser
testuser:$2a$08$FCnQFTuULmR.4ztV1WBVL.Ch7uDVwqZiPcT3fOVPkOpBISY.toap2:15342:-1:99999:-1:::

Logged in via ssh.

Testing complete x86_64 for SRPM
libuser-0.56.18-4.1.mga1.src.rpm

Thierry Vignaud 2012-01-03 18:05:29 CET

CC: thierry.vignaud => (none)

Comment 4 David Walser 2012-01-03 23:05:35 CET

Tested successfully on i586.

David Walser 2012-01-08 23:58:25 CET

Keywords: Triaged => validated_update
CC: (none) => sysadmin-bugs

Comment 5 David Walser 2012-01-09 11:34:36 CET

Suggested advisory:
=====================

Updated libuser packages fix security vulnerability:

libuser before 0.57 uses a cleartext password value of (1) !! or (2) x
for new LDAP user accounts, which makes it easier for remote attackers
to obtain access by specifying one of these values (CVE-2011-0002).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0002
http://www.mandriva.com/support/security/advisories/?dis=2010.1&name=MDVSA-2011:019
=====================

Updated packages in core/updates_testing:
=====================
libuser-0.56.18-4.1.mga1
libuser-devel-0.56.18-4.1.mga1
libuser-ldap-0.56.18-4.1.mga1
libuser-python-0.56.18-4.1.mga1
libuser1-0.56.18-4.1.mga1

from libuser-0.56.18-4.1.mga1.src.rpm
=====================

Comment 6 David Walser 2012-01-09 14:00:18 CET

Could sysadmin please push from core/updates_testing to core/updates

Thank you!

Hardware: i586 => All

Comment 7 Thomas Backlund 2012-01-09 15:24:25 CET

update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.