Bug 967144

Summary: CVE-2013-2069 heat-jeos: improper handling of passwords
Product: [Fedora] Fedora Reporter: Steven Dake <sdake>
Component: heat-jeosAssignee: Jeff Peeler <jpeeler>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 19CC: asalkeld, imain, jlieskov, jpeeler, kseifried, sdake, thoger, zbitter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-31 03:18:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 966594    

Description Steven Dake 2013-05-24 23:04:20 UTC 
Please use the following update submission link to create the Bodhi
request for this issue as it contains the top-level parent bug(s) as well
as this tracking bug.  This will ensure that all associated bugs get
updated when new packages are pushed to stable.

Please also ensure that the "Close bugs when update is stable" option
remains checked.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=964299,966594
Comment 1 Steven Dake 2013-05-24 23:09:01 UTC 
Jeff,

Please hold off on an update until Tomas provides any corrections needed to the bug tracking.

Tomas,

heat-jeos is impacted by the above CVE.  Is this bug in the proper state for your tracking?

Thanks
-steve
Comment 2 Jan Lieskovsky 2013-05-27 13:56:42 UTC 
(In reply to Steven Dake from comment #1)

Thank you for your report, Steven.

> Jeff,
> 
> Please hold off on an update until Tomas provides any corrections needed to
> the bug tracking.
> 
> Tomas,
> 
> heat-jeos is impacted by the above CVE.

What makes you to believe heat-jeos would be affected by CVE-2013-2069 issue too? As far as I can tell there doesn't seem to be code part, where:
  https://git.fedorahosted.org/cgit/livecd/commit/?id=d40ec8e9d8e8222196f5f7f60b38983489794a67    or
  https://git.fedorahosted.org/cgit/cloud-kickstarts.git/commit/generic?id=a81eef60ed108f37747168dbfe05dd6c6484ef63

would be directly applicable. Or do you suggest those add-ons to be added to the template files, as shipped within heat-jeos:

  ls ../rpmbuild/BUILD/heat-jeos-8.release/heat_jeos/jeos/*.tdl ?
  
Or you mean to sanitize the content of the kickstart file provided to the --auto-file option of the heat-jeos script?
  
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>  Is this bug in the proper state for
> your tracking?
> 
> Thanks
> -steve
Comment 3 Tomas Hoger 2013-05-27 14:41:26 UTC 
As Jan hinted above, there's no real info in this bug to for someone not familiar with this particular package to understand your report.

As you make this upstream commits, you are probably familiar with all the gory details:
https://github.com/sdake/heat-jeos/commit/387bfba17dc2cba79875277efdd6c7c783deb892

From a very quick looks, heat-jeos uses oz to build guest images.  oz does not use appliance-tools / livecd-tools to build guest image without starting it, but rather does real installation using anaconda.  From that, I can't easily tell if images created using heat-jeos have empty or some default password.  Even if they end up with some bad password, it should not be caused by the livecd-tools' python-imgcreate issue that got CVE-2013-2069 assigned.

Can you clarify what kind of password is set in guests by heat-jeos?  I see oz ks templates include rootpw command, which should not be removed, only replaced by a different rootpw command.  Can you fill in these missing details?

Also CCing Kurt.  As noted above, I don't think CVE-2013-2069 should be used for this, but it may need different id.
Comment 4 Steven Dake 2013-05-28 00:31:41 UTC 
Jan & Thomas,
When I filed this bug, I thought Oz didn't set a root password - so it had the same problem.

I later learned speaking with Zane BAitter  that Oz uses a default password of ozrootpw.  heat-jeos does not specify a <rootpw> option in the TDL as its purpose is to make gold images for use with Heat, so the instance gets the default password (which is well known).  Oz does not complain or error if <rootpw> is missing.

See:
https://github.com/clalancette/oz/blob/master/oz/Guest.py#L230

My apologies if I messed up the CVE process - I thought the bugs were related since they have the same resolution (locking the root account).

Regards
-steve
Comment 5 Jeff Peeler 2013-05-31 03:18:21 UTC 
I guess I'll go ahead and close this since it appears that while the referenced CVE was related, does not directly apply. All updates have been posted to bug 967147.