Bug 1149610 (CVE-2014-7272)
| Summary: | CVE-2014-7272 sddm: several local privileges escalation issues | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | awilliam, dvratil, jgrulich, jrusnack, kevin, ltinkl, mbriza, rdieter | ||||
| Target Milestone: | --- | Keywords: | CommonBugs, Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-11-03 23:47:42 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1149629 | ||||||
| Bug Blocks: | 1043127 | ||||||
| Attachments: |
|
||||||
|
Description
Vasyl Kaigorodov
2014-10-06 08:27:28 UTC
Created sddm tracking bugs for this issue: Affects: fedora-all [bug 1149629] Proposed as a Freeze Exception for 21-beta by Fedora user rdieter using the blocker tracking app because: local privilege escalation security issue, associated bodhi update has requisite karma. Discussed at 2014-10-22 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-10-22/f21-blocker-review.2014-10-22-16.03.log.txt . Accepted as a freeze exception issue - obviously, privescs in a release-blocking desktop's login manager are V. Bad. It'd be good to have a fix for this ASAP. The fix is already queued for stable as FEDORA-2014-12442, it just wants to be pulled in. There's a caveat however: fedora-livecd-kde-base.ks does this: # set up autologin for user liveuser sed -i 's/^AutoUser=.*/AutoUser=liveuser/' /etc/sddm.conf This needs updating when/if FEDORA-2014-12242 hits, for 2 reasons: 1. AutoUser= is not the syntax for the latest sddm, it now uses User= in an [Autologin] group. 2. There is no default /etc/sddm.conf shipped anymore on which one could run sed. IMHO, this is very user-unfriendly. The package should ship a default config file that users can edit. But the kickstart could probably just use cat instead of sed for now. Martin Bříza, can you please update the master branch of spin-kickstarts with the new logic ASAP, or tell me what to put in there, so we have something to cherry-pick? Rawhide already has the new SDDM, so this should have already happened! (There's no way autologin is working on Rawhide KDE live images right now.) Is this enough? cat >/etc/sddm.conf <<EOF [Autologin] User=liveuser EOF Or do we have to generate a complete config file? Created attachment 949792 [details]
Patch for spin-kickstarts
Seems I can't push to spin-kickstarts - here is a patch that should fix the problem
applied to master. now fixed on master - mbriza, you can't use EOF there, because you're nested within the "cat >> /etc/rc.d/init.d/livesys << EOF" . You have to use something else - see how the other blocks use MENU_EOF, AKONADI_EOF, etc etc. I changed it to use SDDM_EOF. I built alive image with the new sddm and mbriza's patch to spin-kickstarts. It black screens on boot. /var/log/sddm.log has: (EE) DAEMON: Failed to find command for session: "plasma.desktop" sddm-0.9.0-2.20141007git6a28c29b.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Whoops, forgot to note that I fixed c#9. Setting ON_QA for F21, we pulled the updated sddm into Beta. VERIFIED at least that the updated version is in Beta RC4 and works correctly. The updated sddm was pushed stable. Closing. |