The livecd-tools package provides support for reading and executing Kickstart files in order to create a system image. It was discovered that livecd-tools gave the root user an empty password rather than leaving the password locked in situations where no 'rootpw' directive was used or when the 'rootpw --lock' directive was used within the Kickstart file, which could allow local users to gain access to the root account. (CVE-2013-2069) Please note that livecd-tools is also used by appliance-tools to create images used for virtual machines, USB based systems, and so on. Additionally, the Python script components of livecd-tools have been broken out into a separate package named python-imgcreate on some distributions (such as Fedora). Acknowledgements: Red Hat would like to thank Amazon Web Services for reporting this issue. Amazon Web Services acknowledges Sylvain Beucler as the original reporter.
IssueDescription: It was discovered that when used to create images, livecd-tools gave the root user an empty password rather than leaving the password locked in situations where no 'rootpw' directive was used or when the 'rootpw --lock' directive was used within the Kickstart file, which could allow local users to gain access to the root account. ExternalReferences: https://access.redhat.com/site/solutions/379353
This issue has been addressed in following products: Red Hat Common Via RHSA-2013:0849 https://rhn.redhat.com/errata/RHSA-2013-0849.html
Created livecd-tools tracking bugs for this issue Affects: fedora-all [bug 966594] Affects: epel-all [bug 966596]
Related Red Hat Portal Knowledgebase article: https://access.redhat.com/site/solutions/379353 Amazon Security Bulletin: https://aws.amazon.com/security/security-bulletins/red-hat-and-other-third-party-public-amis-security-concern/ livecd-tools were fixed versions 19.3, 18.16, 17.17, and 13.4.4, using the following fix: https://git.fedorahosted.org/cgit/livecd/commit/?id=d40ec8e9d8e8222196f5f7f60b38983489794a67 http://seclists.org/oss-sec/2013/q2/398 Fix for Fedora EC2 images kickstarts, and Fedora announcement: https://git.fedorahosted.org/cgit/cloud-kickstarts.git/commit/generic?id=a81eef60ed108f37747168dbfe05dd6c6484ef63 http://lists.fedoraproject.org/pipermail/announce/2013-May/003157.html
On LIVE Image builded with livecd-tools 19.3 is unable to login as root and/or run LIVEINST now.
(In reply to Arkady L. Shane from comment #6) > On LIVE Image builded with livecd-tools 19.3 is unable to login as root > and/or run LIVEINST now. Correct. The live kickstarts need to be modified to remove the root password. I've sent a patch for that to the spin-kickstarts list. Also, this bug is not the right place for bugs in spins. Please file a new bug against spin-kickstarts.
(In reply to Brian C. Lane from comment #7) > (In reply to Arkady L. Shane from comment #6) > > On LIVE Image builded with livecd-tools 19.3 is unable to login as root > > and/or run LIVEINST now. > > Correct. The live kickstarts need to be modified to remove the root > password. I've sent a patch for that to the spin-kickstarts list. Also, this > bug is not the right place for bugs in spins. Please file a new bug against > spin-kickstarts. trick: open a console and write sudo passwd root After given passwd you can start liveinst. Manfred
I have applied (well, it didn't apply cleanly any more so I just re-did it) bcl's submitted patch for fedora-live-base.ks that does 'passwd -d root' so the root account is once more accessible without a password on the Fedora live images, as is intended to be the case. If someone considers this to be problem, please speak up :) This change should only affect images that are built with the fedora-live-base.ks kickstart included, so if the 'appliance' images where this behaviour is not desired are not based off that kickstart, things should be fine. If they *are* based off that kickstart, we may need to split things out some more.
https://git.fedorahosted.org/cgit/spin-kickstarts.git/commit/?h=f19&id=94d8808a138085238b7e9053aec194bbabc6aa43
Cloud images should be using kickstarts from cloud-kickstarts git repo, see comment #5.
Current cloud image kickstarts both specify rootpw --lock and call passwd -l root in %post for good measure. In the primary "-cloud" kickstart file, the assumption is that you will provide an SSH key via your cloud provider's metadata service, and this is injected into the system on boot.
livecd-tools-17.17-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
livecd-tools-19.4-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 961166 has been marked as a duplicate of this bug. ***