Login-Name Passwort


Sicherheit: Fehlerhafte Zugriffsrechte in livecd-tools
Aktuelle Meldungen Distributionen
Name: Fehlerhafte Zugriffsrechte in livecd-tools
ID: FEDORA-2013-9111
Distribution: Fedora
Plattformen: Fedora 17
Datum: Di, 11. Juni 2013, 12:42
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2069


Name        : livecd-tools
Product : Fedora 17
Version : 17.17
Release : 1.fc17
URL : http://git.fedorahosted.org/git/livecd
Summary : Tools for building live CDs
Description :
Tools for generating live CDs on Fedora based systems including
derived distributions such as RHEL, CentOS and others. See
http://fedoraproject.org/wiki/FedoraLiveCD for more details.

Update Information:

The livecd-tools package provides support for reading and executing
Kickstart files in order to create a system image. It was discovered
that livecd-tools gave the root user an empty password rather than
leaving the password locked in situations where no 'rootpw' directive
was used or when the 'rootpw --lock' directive was used within the
Kickstart file, which could allow local users to gain access to the
root account. (CVE-2013-2069)

Please note that livecd-tools is also used by appliance-tools to create
images used for virtual machines, USB based systems, and so on.
Additionally, the Python script components of livecd-tools have been
broken out into a separate package named python-imgcreate on some
distributions (such as Fedora).


Red Hat would like to thank Amazon Web Services for reporting this issue.
Amazon Web Services acknowledges Sylvain Beucler as the original reporter.

* Thu May 23 2013 Brian C. Lane <bcl@redhat.com> 17.17-1
- Version 17.17 (bcl)
- Avoid setting empty root password (#964299) (thoger)
* Wed Apr 3 2013 Brian C. Lane <bcl@redhat.com> 17.16-1
- Version 17.16 (bcl)
- Use parted to check for GPT disklabel (#947653) (bcl)
- Output details of dep check failure (bcl)
- Properly generate kernel stanzas (#928093) (bcl)
- correctly check for selinux state (#896610) (bcl)
* Thu Sep 6 2012 Brian C. Lane <bcl@redhat.com> 17.15-1
- Version 17.15 (bcl)
- use cp -r instead of -a (bcl)
- New location for GRUB2 config on UEFI (#851220) (bcl)
* Mon Aug 6 2012 Brian C. Lane <bcl@redhat.com> 17.14-1
- Version 17.14 (bcl)
- dracut needs to load vfat and msdos filesystems (bcl)
* Thu Aug 2 2012 Brian C. Lane <bcl@redhat.com> 17.12-1
- Version 17.13 (bcl)
- Recognize rd.live.image as well as liveimg in sed scripts of livecd-iso-to-
disk & edit-livecd (fgrose)
- fix /etc/localtime file vs. symlink (#829032) (bcl)
* Tue Jul 31 2012 Brian C. Lane <bcl@redhat.com> 17.12-1
- Version 17.12 (bcl)
- dracut doesn't need explicit filesystems (bcl)
- livecd-creator: Add --cacheonly for offline use (martin)
- Implement cacheonly (offline) support in ImageCreator and LoopCreator
- if mounting squashfs add ro mount option (jboggs)
- imgcreate: Use copy2 for TimezoneConfig (#829032) (bcl)

[ 1 ] Bug #964299 - CVE-2013-2069 livecd-tools: improper handling of

This update can be installed with the "yum" update program. Use
su -c 'yum update livecd-tools' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list
Pro-Linux @Twitter
Neue Nachrichten