On 10/04/2024 15.52, Timothée Ravier wrote:
Due to a bug in rpm-ostree, the /etc/shadow, /etc/shadow-, /etc/gshadow and
/etc/gshadow- files in Fedora CoreOS, IoT, Atomic Desktops have the
world-readable bit set.
== Affected versions ==
All Fedora CoreOS nodes installed starting from the following versions are
impacted:
- stable: 38.20230902.3.0
- testing: 38.20230902.2.1
- next: 38.20230902.1.1
Fedora IoT and Fedora Atomic Desktops (Silverblue, Kinoite, Sway Atomic, Budgie
Atomic) systems that were installed from Fedora 39 and later release media and
ISOs are affected.
This only impacts new installations and not updated systems thus systems
installed from artifacts before those releases are not impacted (Fedora 38 or
earlier).
This only impacts systems where a password is set. Systems where only SSH keys
were used are not impacted by this vulnerability even though it is present on
the node.
On systems with SELinux enabled and in enforcing mode, access to those files is
limited to unconfined (usually interactive) users, unconfined systemd services
and privileged containers. Confined daemons, users and containers are not able
to access them.
== Fixed versions ==
The following Fedora CoreOS versions fix the issue and include a systemd unit
to fix existing systems on update:
- stable: 39.20240322.3.1
- testing: 39.20240407.2.0
- next: 40.20240408.1.0
Fedora CoreOS systems with automatic updates enabled will automatically get the
update starting on 2024-04-10 14:00 UTC.
Fedora Atomic Desktops version 39.20240410.1 includes the fix. The fix is still
pending for Fedora Atomic Desktops 40 (not officially released yet).
An update with the fix for Fedora IoT is still pending.
== Workaround / immediate fix ==
To immediately fix existing systems, you can run the following command as root:
chmod --verbose 0000 /etc/shadow /etc/gshadow /etc/shadow- /etc/gshadow-
As a precaution, we recommend rotating all user credentials stored in those
files.
== References ==
GitHub Security Advisory:
https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
Red Hat Security Advisory: https://access.redhat.com/security/cve/CVE-2024-2905
Fedora CoreOS issue: https://github.com/coreos/fedora-coreos-tracker/issues/1705
--
I suggest to open and maintain a Project Discussion topic (such as [1]) because
the majority of users will watch there rather than here.
Let me know if I can help there.
[1]
https://discussion.fedoraproject.org/t/attention-malicious-code-in-current-beta-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue