Please use the following update submission link to create the Bodhi request for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. Please also ensure that the "Close bugs when update is stable" option remains checked. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=964299,966594
Jeff, Please hold off on an update until Tomas provides any corrections needed to the bug tracking. Tomas, heat-jeos is impacted by the above CVE. Is this bug in the proper state for your tracking? Thanks -steve
(In reply to Steven Dake from comment #1) Thank you for your report, Steven. > Jeff, > > Please hold off on an update until Tomas provides any corrections needed to > the bug tracking. > > Tomas, > > heat-jeos is impacted by the above CVE. What makes you to believe heat-jeos would be affected by CVE-2013-2069 issue too? As far as I can tell there doesn't seem to be code part, where: https://git.fedorahosted.org/cgit/livecd/commit/?id=d40ec8e9d8e8222196f5f7f60b38983489794a67 or https://git.fedorahosted.org/cgit/cloud-kickstarts.git/commit/generic?id=a81eef60ed108f37747168dbfe05dd6c6484ef63 would be directly applicable. Or do you suggest those add-ons to be added to the template files, as shipped within heat-jeos: ls ../rpmbuild/BUILD/heat-jeos-8.release/heat_jeos/jeos/*.tdl ? Or you mean to sanitize the content of the kickstart file provided to the --auto-file option of the heat-jeos script? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team > Is this bug in the proper state for > your tracking? > > Thanks > -steve
As Jan hinted above, there's no real info in this bug to for someone not familiar with this particular package to understand your report. As you make this upstream commits, you are probably familiar with all the gory details: https://github.com/sdake/heat-jeos/commit/387bfba17dc2cba79875277efdd6c7c783deb892 From a very quick looks, heat-jeos uses oz to build guest images. oz does not use appliance-tools / livecd-tools to build guest image without starting it, but rather does real installation using anaconda. From that, I can't easily tell if images created using heat-jeos have empty or some default password. Even if they end up with some bad password, it should not be caused by the livecd-tools' python-imgcreate issue that got CVE-2013-2069 assigned. Can you clarify what kind of password is set in guests by heat-jeos? I see oz ks templates include rootpw command, which should not be removed, only replaced by a different rootpw command. Can you fill in these missing details? Also CCing Kurt. As noted above, I don't think CVE-2013-2069 should be used for this, but it may need different id.
Jan & Thomas, When I filed this bug, I thought Oz didn't set a root password - so it had the same problem. I later learned speaking with Zane BAitter that Oz uses a default password of ozrootpw. heat-jeos does not specify a <rootpw> option in the TDL as its purpose is to make gold images for use with Heat, so the instance gets the default password (which is well known). Oz does not complain or error if <rootpw> is missing. See: https://github.com/clalancette/oz/blob/master/oz/Guest.py#L230 My apologies if I messed up the CVE process - I thought the bugs were related since they have the same resolution (locking the root account). Regards -steve
I guess I'll go ahead and close this since it appears that while the referenced CVE was related, does not directly apply. All updates have been posted to bug 967147.