[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2013-2069 livecd-tools: improper handling of passwords
From: "Brian C. Lane" <bcl () redhat ! com>
Date: 2013-05-23 14:17:14
Message-ID: 20130523141714.GY27789 () lister ! brianlane ! com
[Download RAW message or body]
https://bugzilla.redhat.com/show_bug.cgi?id=964299
The livecd-tools package provides support for reading and executing
Kickstart files in order to create a system image. It was discovered
that livecd-tools gave the root user an empty password rather than
leaving the password locked in situations where no 'rootpw' directive
was used or when the 'rootpw --lock' directive was used within the
Kickstart file, which could allow local users to gain access to the
root account. (CVE-2013-2069)
Please note that livecd-tools is also used by appliance-tools to create
images used for virtual machines, USB based systems, and so on.
Additionally, the Python script components of livecd-tools have been
broken out into a separate package named python-imgcreate on some
distributions (such as Fedora).
Acknowledgements:
Red Hat would like to thank Amazon Web Services for reporting this
issue.
Amazon Web Services acknowledges Sylvain Beucler as the original
reporter.
--
Brian C. Lane | Anaconda Team | IRC: bcl #anaconda | Port Orchard, WA (PST8PDT)
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic