Bug 9581 - libuser new security issues CVE-2012-5630 and CVE-2012-5644
: libuser new security issues CVE-2012-5630 and CVE-2012-5644
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/546514/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
  Show dependency treegraph
Reported: 2013-04-01 01:07 CEST by David Walser
Modified: 2013-04-18 21:07 CEST (History)
2 users (show)

See Also:
Source RPM: libuser-0.57.3-1.mga2.src.rpm
Status comment:


Description David Walser 2013-04-01 01:07:29 CEST
libuser 0.59 was released, fixing some security issues.

Freeze push for Cauldron requested.

Fedora backported a patch for 0.57.6 that might work for Mageia 2:


Steps to Reproduce:
Comment 1 David Walser 2013-04-02 22:53:44 CEST
libuser 0.59 pushed in Cauldron.
Comment 2 David Walser 2013-04-02 23:34:16 CEST
Patch applies in Mageia 2, but it doesn't build:

It looks like it doesn't like the lu_util_fscreate_from_fd calls on lines 243 and 460 of apps/apputil.c.  lu_util_fscreate_from_fd is a function if compiled --with-selinux (as Fedora does), but is a macro if compiled --without-selinux (as we do).  These are defined in lib/user_private.h.
Comment 3 David Walser 2013-04-04 18:21:26 CEST
There was a bug in the macro (which is being added in this patch), which was addressed upstream in the last commit for 0.59.  I've made the appropriate change to the patch.

Patched package uploaded for Mageia 2.

The references will be updated when Fedora's F18 update is pushed.


Updated libuser packages fix security vulnerabilities:

A TOCTOU (time-of-check time-of-use) race condition was found in the way
libuser performed copying and removal of (user) directory trees. A local
attacker, with permissions to write into particular directory, could use
this flaw to conduct symbolic link attacks, leading to their ability to
alter / remove directories outside of this directory (tree), if this
directory was simultaneously modified (copied or removed) via libuser
functionality (CVE-2012-5630).

An information disclosure flaw was found in the way libuser performed
movement of user's home directory. Previously, during the move the
ownership of all the (sub)entries present in directory tree, to be moved,
were changed from privileged user account to the effective user id of the
user, the home directory should belong to. A local attacker could use this
flaw to conduct hardlink attacks and possibly obtain unauthorized access
to arbitrary system file (CVE-2012-5644).


Updated packages in core/updates_testing:

from libuser-0.57.3-1.1.mga2.src.rpm
Comment 4 claire robinson 2013-04-06 11:24:54 CEST
Testing mga2 64 using user management commands from
$ urpmf libuser: | grep bin

Confirming libuser is used by running under strace
# strace -o strace.txt luseradd testuser
# grep user strace.txt

Comparing with results from
$ urpmf libuser:
$ urpmf lib64user1

# strace -o strace.txt lpasswd testuser
New password:
New password (confirm):
Password changed.
# grep user strace.txt

Looking for things like..
open("/usr/lib64/libuser.so.1", O_RDONLY) = 3
open("/etc/libuser.conf", O_RDONLY)     = 3
open("/usr/lib64/libuser/libuser_files.so", O_RDONLY) = 3
open("/usr/lib64/libuser/libuser_shadow.so", O_RDONLY) = 3

Check it's worked..
# grep testuser /etc/passwd
# grep testuser /etc/group

Check correct ownership in /home
# ll -d /home/testuser
drwx------ 4 testuser testuser 4096 Apr  6 10:05 /home/testuser/

# ll -a /home/testuser
total 36
drwx------ 4 testuser testuser 4096 Apr  6 10:05 ./
drwxr-xr-x 6 root     root     4096 Apr  6 10:05 ../
-rw-r--r-- 1 testuser testuser  387 Jan  9  2012 .bash_completion
-rw-r--r-- 1 testuser testuser   24 Jul 25  2012 .bash_logout
-rw-r--r-- 1 testuser testuser  191 Jul 25  2012 .bash_profile
-rw-r--r-- 1 testuser testuser  124 Jul 25  2012 .bashrc
drwxr-xr-x 4 testuser testuser 4096 May 24  2012 .mozilla/
-rw-r--r-- 1 testuser testuser 3793 Jan  8  2011 .screenrc
drwx------ 2 testuser testuser 4096 Jan 11  2011 tmp/

Remove testuser
# luserdel -r testuser
# ll -a /home/testuser
ls: cannot access /home/testuser: No such file or directory
Comment 5 claire robinson 2013-04-06 12:06:45 CEST
Testing complete mga2 32


Advisory & srpm in comment 3

Could sysadmin please push from core/updates_testing to core/updates

Comment 6 Thomas Backlund 2013-04-06 15:19:38 CEST
Update pushed:
Comment 7 David Walser 2013-04-18 21:07:29 CEST
Fedora has issued an advisory for this:

Note You need to log in before you can comment on or make changes to this bug.