Bug 967144 - CVE-2013-2069 heat-jeos: improper handling of passwords
Summary: CVE-2013-2069 heat-jeos: improper handling of passwords
Alias: None
Product: Fedora
Classification: Fedora
Component: heat-jeos   
(Show other bugs)
Version: 19
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Jeff Peeler
QA Contact: Fedora Extras Quality Assurance
Keywords: Security
Depends On:
Blocks: 966594
TreeView+ depends on / blocked
Reported: 2013-05-24 23:04 UTC by Steven Dake
Modified: 2016-04-26 21:17 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-05-31 03:18:21 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Steven Dake 2013-05-24 23:04:20 UTC
Please use the following update submission link to create the Bodhi
request for this issue as it contains the top-level parent bug(s) as well
as this tracking bug.  This will ensure that all associated bugs get
updated when new packages are pushed to stable.

Please also ensure that the "Close bugs when update is stable" option
remains checked.

Bodhi update submission link:

Comment 1 Steven Dake 2013-05-24 23:09:01 UTC

Please hold off on an update until Tomas provides any corrections needed to the bug tracking.


heat-jeos is impacted by the above CVE.  Is this bug in the proper state for your tracking?


Comment 2 Jan Lieskovsky 2013-05-27 13:56:42 UTC
(In reply to Steven Dake from comment #1)

Thank you for your report, Steven.

> Jeff,
> Please hold off on an update until Tomas provides any corrections needed to
> the bug tracking.
> Tomas,
> heat-jeos is impacted by the above CVE.

What makes you to believe heat-jeos would be affected by CVE-2013-2069 issue too? As far as I can tell there doesn't seem to be code part, where:
  https://git.fedorahosted.org/cgit/livecd/commit/?id=d40ec8e9d8e8222196f5f7f60b38983489794a67    or

would be directly applicable. Or do you suggest those add-ons to be added to the template files, as shipped within heat-jeos:

  ls ../rpmbuild/BUILD/heat-jeos-8.release/heat_jeos/jeos/*.tdl ?
Or you mean to sanitize the content of the kickstart file provided to the --auto-file option of the heat-jeos script?
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

>  Is this bug in the proper state for
> your tracking?
> Thanks
> -steve

Comment 3 Tomas Hoger 2013-05-27 14:41:26 UTC
As Jan hinted above, there's no real info in this bug to for someone not familiar with this particular package to understand your report.

As you make this upstream commits, you are probably familiar with all the gory details:

From a very quick looks, heat-jeos uses oz to build guest images.  oz does not use appliance-tools / livecd-tools to build guest image without starting it, but rather does real installation using anaconda.  From that, I can't easily tell if images created using heat-jeos have empty or some default password.  Even if they end up with some bad password, it should not be caused by the livecd-tools' python-imgcreate issue that got CVE-2013-2069 assigned.

Can you clarify what kind of password is set in guests by heat-jeos?  I see oz ks templates include rootpw command, which should not be removed, only replaced by a different rootpw command.  Can you fill in these missing details?

Also CCing Kurt.  As noted above, I don't think CVE-2013-2069 should be used for this, but it may need different id.

Comment 4 Steven Dake 2013-05-28 00:31:41 UTC
Jan & Thomas,
When I filed this bug, I thought Oz didn't set a root password - so it had the same problem.

I later learned speaking with Zane BAitter  that Oz uses a default password of ozrootpw.  heat-jeos does not specify a <rootpw> option in the TDL as its purpose is to make gold images for use with Heat, so the instance gets the default password (which is well known).  Oz does not complain or error if <rootpw> is missing.


My apologies if I messed up the CVE process - I thought the bugs were related since they have the same resolution (locking the root account).


Comment 5 Jeff Peeler 2013-05-31 03:18:21 UTC
I guess I'll go ahead and close this since it appears that while the referenced CVE was related, does not directly apply. All updates have been posted to bug 967147.

Note You need to log in before you can comment on or make changes to this bug.