Bugzilla – Bug 974220
VUL-0: CVE-2016-1601: autoyast2: Empty passwords fields in /etc/shadow after SLES 12 SP1 autoyast installation
Last modified: 2018-12-06 13:27:02 UTC
bugbot adjusting priority
Moved to autoyast maint.
Created attachment 672907 [details] Script to fix installed system (version included in yast2-users 3.1.41.3) This is the final version of the script to solve /etc/shadow issue. It's the same included in yast2-users 3.1.41.3 package.
Thanks Marcus. This is the SR for the new package: https://build.suse.de/request/show/110728 Just to summarize: * The bug appears when the AutoYaST profile does not contain inst-sys users (bin, daemon, lp, etc.). If those users are declared in the profile (the default behavior for "yast2 clone_system"), the bug will not be triggered. * yast2-users 3.1.41.3 fixes the issue (if it's used as a DUD). If it's installed in a affected system, it will also fix the problem. * Caveat: after releasing yast2-users 3.1.41.3, there's a problematic scenario: if "install_updates" option is enabled in the profile, the bug will appear again (because yast2-users 3.1.41.3 will be installed before the installation is finished and the users are written). Reinstalling yast2-users will fix the problem (or running the script on comment 24).
Fix for issue is in YaST:Head and openSUSE:Factory, so it is public
I am testing yast2-users package. So I create a new iso to test the bugs after downloading yast2-users-3.1.41.3-9.1.x86_64.rpm. but I found that empty passwords fields in /etc/shadow still existed. Make sure the latest version yast2-users was installed. The test autoyast file from here: https://bugzilla.suse.com/show_bug.cgi?id=973639#c0 So guys, please help me check it. PS: but /etc/shadow.YaST2save is OK. Its passwords fields is fine except root(root's password field is empty).
(In reply to jun wang from comment #27) > I am testing yast2-users package. > So I create a new iso to test the bugs > after downloading yast2-users-3.1.41.3-9.1.x86_64.rpm. > > but I found that empty passwords fields in /etc/shadow still existed. you likely only added the rpm without a dud. The shadow file is generated with the files in the ram disk, which is not affected by the rpm. Please check. > So guys, please help me check it. i can do that if you provide your media.
How could I reproduce the problem? I've tried these scenarios: * AutoYaST installation adding yast2-users to a Driver Update Disk. * AutoYaST installation using the original SLE12 SP1 DVD. After that, I've installed yast2-users-3.1.41.3-9.1.x86_64.rpm with zypper. In both cases it worked for me. So, please, could you attach YaST2 logs so we can have a closer look? Thanks in advance!
(In reply to Jochen Roeder from comment #28) > (In reply to jun wang from comment #27) > > I am testing yast2-users package. > > So I create a new iso to test the bugs > > after downloading yast2-users-3.1.41.3-9.1.x86_64.rpm. > > > > but I found that empty passwords fields in /etc/shadow still existed. > > you likely only added the rpm without a dud. The shadow file is generated > with the files in the ram disk, which is not affected by the rpm. Please > check. > > > So guys, please help me check it. > > i can do that if you provide your media. Yes, you are right. I only added the rpm into media without a dud. I realized the problem. And make sure it works well with a dud. this fix is fine. Thank you Jochen.
(In reply to Imobach Gonzalez Sosa from comment #29) > How could I reproduce the problem? I've tried these scenarios: > > * AutoYaST installation adding yast2-users to a Driver Update Disk. > * AutoYaST installation using the original SLE12 SP1 DVD. After that, I've > installed yast2-users-3.1.41.3-9.1.x86_64.rpm with zypper. > > In both cases it worked for me. So, please, could you attach YaST2 logs so > we can have a closer look? > > Thanks in advance! The issue happened because I only added the rpm package into a installation media withou dud. Now make sure this fix works well with dud. Thanks for your help.
SUSE-SU-2016:1138-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 971804,973639,974220 CVE References: CVE-2016-1601 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): yast2-users-3.1.41.3-9.1 SUSE Linux Enterprise Server 12-SP1 (src): yast2-users-3.1.41.3-9.1 SUSE Linux Enterprise Desktop 12-SP1 (src): yast2-users-3.1.41.3-9.1
Thanks Marcus, I've reassigned the bug as I've done all submissions.
openSUSE-SU-2016:1226-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 971804,973639,974220 CVE References: CVE-2016-1601 Sources used: openSUSE Leap 42.1 (src): yast2-users-3.1.41.3-10.1
fixed