| Summary: | app-misc/livecd-tools : improper handling of passwords | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | CC: | livecd |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=964299 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
We do not use the same livecd-tools RH uses, so I don't think this applies to us. hooray for auto-filing bugs sounds like a good use case for the CPE fields in metadata.xml |
From ${URL} : The livecd-tools package provides support for reading and executing Kickstart files in order to create a system image. It was discovered that livecd-tools gave the root user an empty password rather than leaving the password locked in situations where no 'rootpw' directive was used or when the 'rootpw --lock' directive was used within the Kickstart file, which could allow local users to gain access to the root account. (CVE-2013-2069) Please note that livecd-tools is also used by appliance-tools to create images used for virtual machines, USB based systems, and so on. Additionally, the Python script components of livecd-tools have been broken out into a separate package named python-imgcreate on some distributions. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.