Bug 967144 - CVE-2013-2069 heat-jeos: improper handling of passwords
Summary: CVE-2013-2069 heat-jeos: improper handling of passwords
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: heat-jeos
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Jeff Peeler
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 966594
TreeView+ depends on / blocked
 
Reported: 2013-05-24 23:04 UTC by Steven Dake
Modified: 2016-04-26 21:17 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-05-31 03:18:21 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Steven Dake 2013-05-24 23:04:20 UTC
Please use the following update submission link to create the Bodhi
request for this issue as it contains the top-level parent bug(s) as well
as this tracking bug.  This will ensure that all associated bugs get
updated when new packages are pushed to stable.

Please also ensure that the "Close bugs when update is stable" option
remains checked.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=964299,966594

Comment 1 Steven Dake 2013-05-24 23:09:01 UTC
Jeff,

Please hold off on an update until Tomas provides any corrections needed to the bug tracking.

Tomas,

heat-jeos is impacted by the above CVE.  Is this bug in the proper state for your tracking?

Thanks
-steve

Comment 2 Jan Lieskovsky 2013-05-27 13:56:42 UTC
(In reply to Steven Dake from comment #1)

Thank you for your report, Steven.

> Jeff,
> 
> Please hold off on an update until Tomas provides any corrections needed to
> the bug tracking.
> 
> Tomas,
> 
> heat-jeos is impacted by the above CVE.

What makes you to believe heat-jeos would be affected by CVE-2013-2069 issue too? As far as I can tell there doesn't seem to be code part, where:
  https://git.fedorahosted.org/cgit/livecd/commit/?id=d40ec8e9d8e8222196f5f7f60b38983489794a67    or
  https://git.fedorahosted.org/cgit/cloud-kickstarts.git/commit/generic?id=a81eef60ed108f37747168dbfe05dd6c6484ef63

would be directly applicable. Or do you suggest those add-ons to be added to the template files, as shipped within heat-jeos:

  ls ../rpmbuild/BUILD/heat-jeos-8.release/heat_jeos/jeos/*.tdl ?
  
Or you mean to sanitize the content of the kickstart file provided to the --auto-file option of the heat-jeos script?
  
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>  Is this bug in the proper state for
> your tracking?
> 
> Thanks
> -steve

Comment 3 Tomas Hoger 2013-05-27 14:41:26 UTC
As Jan hinted above, there's no real info in this bug to for someone not familiar with this particular package to understand your report.

As you make this upstream commits, you are probably familiar with all the gory details:
https://github.com/sdake/heat-jeos/commit/387bfba17dc2cba79875277efdd6c7c783deb892

From a very quick looks, heat-jeos uses oz to build guest images.  oz does not use appliance-tools / livecd-tools to build guest image without starting it, but rather does real installation using anaconda.  From that, I can't easily tell if images created using heat-jeos have empty or some default password.  Even if they end up with some bad password, it should not be caused by the livecd-tools' python-imgcreate issue that got CVE-2013-2069 assigned.

Can you clarify what kind of password is set in guests by heat-jeos?  I see oz ks templates include rootpw command, which should not be removed, only replaced by a different rootpw command.  Can you fill in these missing details?

Also CCing Kurt.  As noted above, I don't think CVE-2013-2069 should be used for this, but it may need different id.

Comment 4 Steven Dake 2013-05-28 00:31:41 UTC
Jan & Thomas,
When I filed this bug, I thought Oz didn't set a root password - so it had the same problem.

I later learned speaking with Zane BAitter  that Oz uses a default password of ozrootpw.  heat-jeos does not specify a <rootpw> option in the TDL as its purpose is to make gold images for use with Heat, so the instance gets the default password (which is well known).  Oz does not complain or error if <rootpw> is missing.

See:
https://github.com/clalancette/oz/blob/master/oz/Guest.py#L230

My apologies if I messed up the CVE process - I thought the bugs were related since they have the same resolution (locking the root account).

Regards
-steve

Comment 5 Jeff Peeler 2013-05-31 03:18:21 UTC
I guess I'll go ahead and close this since it appears that while the referenced CVE was related, does not directly apply. All updates have been posted to bug 967147.


Note You need to log in before you can comment on or make changes to this bug.