Impact
The /etc/shadow, /etc/shadow-, /etc/gshadow and /etc/gshadow- files in a default build have the world-readable bit set.
This only impacts commits built with rpm-ostree starting with v2023.6.
This only impacts new installation and not updated systems thus systems installed from artifacts generated before this release are not impacted.
On systems with SELinux enabled and in enforcing mode, access to those files is limited to unconfined (usually interactive) users, unconfined systemd services and privileged containers. Confined daemons, users and containers are not able to access them.
Patches
The patches for rpm-ostree are available in #4911. They include a systemd unit to fix existing systems on update.
Workarounds
To immediately fix existing systems, you can run the following command as root:
chmod --verbose 0000 /etc/shadow /etc/gshadow /etc/shadow- /etc/gshadow-
References
This issue was inadvertently introduced in #4503, which was first released in rpm-ostree v2023.6.
Affected projects
rpm-ostree v2023.6 was never released in Fedora, but v2023.7 was first in bodhi stable in early September 2023.
See CVE-2024-2905 for impacted Red Hat products.
Fedora CoreOS
Fedora CoreOS versions were affected when rpm-ostree-2023.7-1 entered the CoreOS Assembler build container. Tracing the testing-devel stream, the last good and first bad were:
38.20230904.20.0 -> good38.20230906.20.1 -> bad
So the bad version of rpm-ostree got into CoreOS Assembler ~09/06/2023. Here are the last good and first bad for each of our production streams:
stable
38.20230819.3.0 -> good38.20230902.3.0 -> bad
testing
38.20230902.2.0 -> good38.20230902.2.1 -> bad
next
38.20230902.1.0 -> good38.20230902.1.1 -> bad
Fedora Atomic Desktops and Fedora IoT
Fedora IoT and Fedora Atomic Desktops (Silverblue, Kinoite, Sway Atomic, Budgie Atomic) systems that were installed from Fedora 39 and later release media and ISOs are affected.
System that were installed using Fedora 38 release media and before and which have been updated are NOT impacted.
Chief-Engineer Reporter
Impact
The
/etc/shadow,/etc/shadow-,/etc/gshadowand/etc/gshadow-files in a default build have the world-readable bit set.This only impacts commits built with rpm-ostree starting with v2023.6.
This only impacts new installation and not updated systems thus systems installed from artifacts generated before this release are not impacted.
On systems with SELinux enabled and in enforcing mode, access to those files is limited to unconfined (usually interactive) users, unconfined systemd services and privileged containers. Confined daemons, users and containers are not able to access them.
Patches
The patches for rpm-ostree are available in #4911. They include a systemd unit to fix existing systems on update.
Workarounds
To immediately fix existing systems, you can run the following command as root:
References
This issue was inadvertently introduced in #4503, which was first released in rpm-ostree v2023.6.
Affected projects
rpm-ostree v2023.6 was never released in Fedora, but v2023.7 was first in bodhi stable in early September 2023.
See CVE-2024-2905 for impacted Red Hat products.
Fedora CoreOS
Fedora CoreOS versions were affected when
rpm-ostree-2023.7-1entered the CoreOS Assembler build container. Tracing thetesting-develstream, the last good and first bad were:38.20230904.20.0-> good38.20230906.20.1-> badSo the bad version of
rpm-ostreegot into CoreOS Assembler ~09/06/2023. Here are the last good and first bad for each of our production streams:stable38.20230819.3.0-> good38.20230902.3.0-> badtesting38.20230902.2.0-> good38.20230902.2.1-> badnext38.20230902.1.0-> good38.20230902.1.1-> badFedora Atomic Desktops and Fedora IoT
Fedora IoT and Fedora Atomic Desktops (Silverblue, Kinoite, Sway Atomic, Budgie Atomic) systems that were installed from Fedora 39 and later release media and ISOs are affected.
System that were installed using Fedora 38 release media and before and which have been updated are NOT impacted.