883174 – (CVE-2014-4040) VUL-0: CVE-2014-4040: powerpc-utils: May expose passwords from fstab or yaboot.con

Bug 883174 (CVE-2014-4040) - VUL-0: CVE-2014-4040: powerpc-utils: May expose passwords from fstab or yaboot.con

Summary: VUL-0: CVE-2014-4040: powerpc-utils: May expose passwords from fstab or yaboo...

Status:	RESOLVED FIXED

Alias:	CVE-2014-4040

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2014-09-26
Assignee:	Jan Loeser
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/99697/
Whiteboard:	maint:running:58953:moderate maint:re...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-06-18 10:46 UTC by Johannes Segitz
Modified:	2015-02-18 18:28 UTC (History)
CC List:	7 users (show)

See Also:	https://bugzilla.linux.ibm.com/show_bug.cgi?id=117432
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2014-06-18 10:46:07 UTC

snap in powerpc-utils 1.2.20 produces an archive with fstab and yaboot.conf
files potentially containing cleartext passwords, and lacks a warning about
reviewing this archive to detect included passwords, which might allow remote
attackers to obtain sensitive information by leveraging access to a
technical-support data stream.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1110520
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4040
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4040

Comment 1 Johannes Segitz 2014-06-18 12:25:09 UTC

we would like to add it to another, currently running update
(MaintenanceTracker-57826). Therefore a timely submit would be very appreciated

Comment 2 Swamp Workflow Management 2014-06-18 22:00:13 UTC

bugbot adjusting priority

Comment 3 Jan Loeser 2014-06-25 09:46:04 UTC

Hi,

how we proceed here?

Comment 4 Johannes Segitz 2014-06-25 15:28:51 UTC

I would suggest that we display a warning to the user and don't try to scrub the data.

Comment 5 Johannes Segitz 2014-07-03 07:32:46 UTC

I we want to take the opportunity to use the existing workflow we would need a submission in the next few days.

Comment 6 Matthias Fruehauf 2014-07-03 15:22:21 UTC

IBM, can you please comment.

Comment 7 SMASH SMASH 2014-07-04 08:30:15 UTC

Affected packages:

SLE-10-SP3-TERADATA: powerpc-utils
SLE-11-SP3: powerpc-utils

Comment 8 Jan Loeser 2014-09-08 09:00:51 UTC

Hi IBM,

do you really need those files (yaboot.conf, fstab) or can we just ignore them in snap? At least, I will add a warning that  confidential data may be saved.

Jan

Comment 11 Swamp Workflow Management 2014-09-12 12:14:54 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-09-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58953

Comment 12 Marcus Meissner 2014-09-24 11:41:25 UTC

released

drop needinfo ibm

Comment 13 Swamp Workflow Management 2014-09-24 21:04:27 UTC

SUSE-SU-2014:1211-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 883174
CVE References: CVE-2014-4040
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    powerpc-utils-1.2.16-0.13.1

Comment 14 Jan Loeser 2014-10-28 11:50:55 UTC

Maintenance request for SLES12

Comment 18 Swamp Workflow Management 2015-02-06 17:05:44 UTC

SUSE-SU-2015:0232-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 883174,901216
CVE References: CVE-2014-4040
Sources used:
SUSE Linux Enterprise Server 12 (src):    powerpc-utils-1.2.22-7.1