libuser 0.59 was released, fixing some security issues. Freeze push for Cauldron requested. Fedora backported a patch for 0.57.6 that might work for Mageia 2: http://pkgs.fedoraproject.org/cgit/libuser.git/commit/?h=f17&id=78a55bf498cac0b430ba6512654860c39dfd0bf9 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
libuser 0.59 pushed in Cauldron.
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
Patch applies in Mageia 2, but it doesn't build: http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20130402210500.luigiwalser.valstar.4305/log/libuser-0.57.3-1.1.mga2/build.0.20130402210505.log It looks like it doesn't like the lu_util_fscreate_from_fd calls on lines 243 and 460 of apps/apputil.c. lu_util_fscreate_from_fd is a function if compiled --with-selinux (as Fedora does), but is a macro if compiled --without-selinux (as we do). These are defined in lib/user_private.h.
There was a bug in the macro (which is being added in this patch), which was addressed upstream in the last commit for 0.59. I've made the appropriate change to the patch. Patched package uploaded for Mageia 2. The references will be updated when Fedora's F18 update is pushed. Advisory: ======================== Updated libuser packages fix security vulnerabilities: A TOCTOU (time-of-check time-of-use) race condition was found in the way libuser performed copying and removal of (user) directory trees. A local attacker, with permissions to write into particular directory, could use this flaw to conduct symbolic link attacks, leading to their ability to alter / remove directories outside of this directory (tree), if this directory was simultaneously modified (copied or removed) via libuser functionality (CVE-2012-5630). An information disclosure flaw was found in the way libuser performed movement of user's home directory. Previously, during the move the ownership of all the (sub)entries present in directory tree, to be moved, were changed from privileged user account to the effective user id of the user, the home directory should belong to. A local attacker could use this flaw to conduct hardlink attacks and possibly obtain unauthorized access to arbitrary system file (CVE-2012-5644). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5630 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5644 https://bugzilla.redhat.com/show_bug.cgi?id=884685 https://bugzilla.redhat.com/show_bug.cgi?id=885724 ======================== Updated packages in core/updates_testing: ======================== libuser-0.57.3-1.1.mga2 libuser-python-0.57.3-1.1.mga2 libuser-ldap-0.57.3-1.1.mga2 libuser1-0.57.3-1.1.mga2 libuser-devel-0.57.3-1.1.mga2 from libuser-0.57.3-1.1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
Testing mga2 64 using user management commands from $ urpmf libuser: | grep bin Confirming libuser is used by running under strace # strace -o strace.txt luseradd testuser # grep user strace.txt Comparing with results from $ urpmf libuser: $ urpmf lib64user1 # strace -o strace.txt lpasswd testuser New password: New password (confirm): Password changed. # grep user strace.txt Looking for things like.. open("/usr/lib64/libuser.so.1", O_RDONLY) = 3 open("/etc/libuser.conf", O_RDONLY) = 3 open("/usr/lib64/libuser/libuser_files.so", O_RDONLY) = 3 open("/usr/lib64/libuser/libuser_shadow.so", O_RDONLY) = 3 Check it's worked.. # grep testuser /etc/passwd testuser:x:501:501:testuser:/home/testuser:/bin/bash # grep testuser /etc/group testuser:x:501: Check correct ownership in /home # ll -d /home/testuser drwx------ 4 testuser testuser 4096 Apr 6 10:05 /home/testuser/ # ll -a /home/testuser total 36 drwx------ 4 testuser testuser 4096 Apr 6 10:05 ./ drwxr-xr-x 6 root root 4096 Apr 6 10:05 ../ -rw-r--r-- 1 testuser testuser 387 Jan 9 2012 .bash_completion -rw-r--r-- 1 testuser testuser 24 Jul 25 2012 .bash_logout -rw-r--r-- 1 testuser testuser 191 Jul 25 2012 .bash_profile -rw-r--r-- 1 testuser testuser 124 Jul 25 2012 .bashrc drwxr-xr-x 4 testuser testuser 4096 May 24 2012 .mozilla/ -rw-r--r-- 1 testuser testuser 3793 Jan 8 2011 .screenrc drwx------ 2 testuser testuser 4096 Jan 11 2011 tmp/ Remove testuser # luserdel -r testuser # ll -a /home/testuser ls: cannot access /home/testuser: No such file or directory
Whiteboard: (none) => has_procedure mga2-64-ok
Testing complete mga2 32 Validating Advisory & srpm in comment 3 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-okCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0110
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Fedora has issued an advisory for this: http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102068.html
URL: (none) => http://lwn.net/Vulnerabilities/546514/