Bug 1727770 (CVE-2019-13314)

Summary: CVE-2019-13314 virt-bootstrap: allows local users to discover root password via process listing
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fidencio, rstoyanov1
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A password disclosure flaw was found in virt-bootstrap, version 1.1.0. Because virt-bootstrap accepts root password as a command line argument via --root-password option, the password could leak to other system users via process listing.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-12 13:08:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1727771    
Bug Blocks: 1727818    

Description Dhananjay Arunesh 2019-07-08 06:50:42 UTC
virt-bootstrap 1.1.0 allows local users to discover a root password by listing a process, because this password may be present in the --root-password option to virt_bootstrap.py.

Reference:
https://github.com/virt-manager/virt-bootstrap/releases
https://www.redhat.com/archives/virt-tools-list/2019-July/msg00043.html

Comment 1 Dhananjay Arunesh 2019-07-08 06:50:53 UTC
Created virt-bootstrap tracking bugs for this issue:

Affects: fedora-all [bug 1727771]

Comment 2 Dhananjay Arunesh 2019-07-08 07:50:50 UTC
Acknowledgments:

Name: Fabiano FidĂȘncio (Red Hat)

Comment 3 Prasad J Pandit 2019-07-09 05:00:54 UTC
External References:

https://www.openwall.com/lists/oss-security/2019/07/08/3

Comment 4 Product Security DevOps Team 2019-07-12 13:08:27 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.