Bug 9581 - libuser new security issues CVE-2012-5630 and CVE-2012-5644
: libuser new security issues CVE-2012-5630 and CVE-2012-5644
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/546514/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-01 01:07 CEST by David Walser
Modified: 2013-04-18 21:07 CEST (History)
2 users (show)

See Also:
Source RPM: libuser-0.57.3-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2013-04-01 01:07:29 CEST
libuser 0.59 was released, fixing some security issues.

Freeze push for Cauldron requested.

Fedora backported a patch for 0.57.6 that might work for Mageia 2:
http://pkgs.fedoraproject.org/cgit/libuser.git/commit/?h=f17&id=78a55bf498cac0b430ba6512654860c39dfd0bf9

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-04-02 22:53:44 CEST
libuser 0.59 pushed in Cauldron.
Comment 2 David Walser 2013-04-02 23:34:16 CEST
Patch applies in Mageia 2, but it doesn't build:
http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20130402210500.luigiwalser.valstar.4305/log/libuser-0.57.3-1.1.mga2/build.0.20130402210505.log

It looks like it doesn't like the lu_util_fscreate_from_fd calls on lines 243 and 460 of apps/apputil.c.  lu_util_fscreate_from_fd is a function if compiled --with-selinux (as Fedora does), but is a macro if compiled --without-selinux (as we do).  These are defined in lib/user_private.h.
Comment 3 David Walser 2013-04-04 18:21:26 CEST
There was a bug in the macro (which is being added in this patch), which was addressed upstream in the last commit for 0.59.  I've made the appropriate change to the patch.

Patched package uploaded for Mageia 2.

The references will be updated when Fedora's F18 update is pushed.

Advisory:
========================

Updated libuser packages fix security vulnerabilities:

A TOCTOU (time-of-check time-of-use) race condition was found in the way
libuser performed copying and removal of (user) directory trees. A local
attacker, with permissions to write into particular directory, could use
this flaw to conduct symbolic link attacks, leading to their ability to
alter / remove directories outside of this directory (tree), if this
directory was simultaneously modified (copied or removed) via libuser
functionality (CVE-2012-5630).

An information disclosure flaw was found in the way libuser performed
movement of user's home directory. Previously, during the move the
ownership of all the (sub)entries present in directory tree, to be moved,
were changed from privileged user account to the effective user id of the
user, the home directory should belong to. A local attacker could use this
flaw to conduct hardlink attacks and possibly obtain unauthorized access
to arbitrary system file (CVE-2012-5644).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5630
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5644
https://bugzilla.redhat.com/show_bug.cgi?id=884685
https://bugzilla.redhat.com/show_bug.cgi?id=885724
========================

Updated packages in core/updates_testing:
========================
libuser-0.57.3-1.1.mga2
libuser-python-0.57.3-1.1.mga2
libuser-ldap-0.57.3-1.1.mga2
libuser1-0.57.3-1.1.mga2
libuser-devel-0.57.3-1.1.mga2

from libuser-0.57.3-1.1.mga2.src.rpm
Comment 4 claire robinson 2013-04-06 11:24:54 CEST
Testing mga2 64 using user management commands from
$ urpmf libuser: | grep bin

Confirming libuser is used by running under strace
# strace -o strace.txt luseradd testuser
# grep user strace.txt

Comparing with results from
$ urpmf libuser:
$ urpmf lib64user1

# strace -o strace.txt lpasswd testuser
New password:
New password (confirm):
Password changed.
# grep user strace.txt

Looking for things like..
open("/usr/lib64/libuser.so.1", O_RDONLY) = 3
open("/etc/libuser.conf", O_RDONLY)     = 3
open("/usr/lib64/libuser/libuser_files.so", O_RDONLY) = 3
open("/usr/lib64/libuser/libuser_shadow.so", O_RDONLY) = 3

Check it's worked..
# grep testuser /etc/passwd
testuser:x:501:501:testuser:/home/testuser:/bin/bash
# grep testuser /etc/group
testuser:x:501:

Check correct ownership in /home
# ll -d /home/testuser
drwx------ 4 testuser testuser 4096 Apr  6 10:05 /home/testuser/

# ll -a /home/testuser
total 36
drwx------ 4 testuser testuser 4096 Apr  6 10:05 ./
drwxr-xr-x 6 root     root     4096 Apr  6 10:05 ../
-rw-r--r-- 1 testuser testuser  387 Jan  9  2012 .bash_completion
-rw-r--r-- 1 testuser testuser   24 Jul 25  2012 .bash_logout
-rw-r--r-- 1 testuser testuser  191 Jul 25  2012 .bash_profile
-rw-r--r-- 1 testuser testuser  124 Jul 25  2012 .bashrc
drwxr-xr-x 4 testuser testuser 4096 May 24  2012 .mozilla/
-rw-r--r-- 1 testuser testuser 3793 Jan  8  2011 .screenrc
drwx------ 2 testuser testuser 4096 Jan 11  2011 tmp/

Remove testuser
# luserdel -r testuser
# ll -a /home/testuser
ls: cannot access /home/testuser: No such file or directory
Comment 5 claire robinson 2013-04-06 12:06:45 CEST
Testing complete mga2 32

Validating

Advisory & srpm in comment 3

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 6 Thomas Backlund 2013-04-06 15:19:38 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0110
Comment 7 David Walser 2013-04-18 21:07:29 CEST
Fedora has issued an advisory for this:
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102068.html

Note You need to log in before you can comment on or make changes to this bug.