Date: Thu, 23 May 2013 07:17:14 -0700 From: "Brian C. Lane" <bcl@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2013-2069 livecd-tools: improper handling of passwords https://bugzilla.redhat.com/show_bug.cgi?id=964299 The livecd-tools package provides support for reading and executing Kickstart files in order to create a system image. It was discovered that livecd-tools gave the root user an empty password rather than leaving the password locked in situations where no 'rootpw' directive was used or when the 'rootpw --lock' directive was used within the Kickstart file, which could allow local users to gain access to the root account. (CVE-2013-2069) Please note that livecd-tools is also used by appliance-tools to create images used for virtual machines, USB based systems, and so on. Additionally, the Python script components of livecd-tools have been broken out into a separate package named python-imgcreate on some distributions (such as Fedora). Acknowledgements: Red Hat would like to thank Amazon Web Services for reporting this issue. Amazon Web Services acknowledges Sylvain Beucler as the original reporter. -- Brian C. Lane | Anaconda Team | IRC: bcl #anaconda | Port Orchard, WA (PST8PDT) Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ