Bugzilla – Bug 1163813
VUL-0: CVE-2020-8018: User owned /etc in SLES15-SP1-CHOST-BYOS
Last modified: 2020-09-08 07:15:42 UTC
+++ This bug was initially created as a clone of Bug #1160988 +++ Based on the tip we got in 1160988 I checked all public cloud images. Almost all are fine, but in SUSE:SLE-15-SP1:Update:PubClouds/SLES15-SP1-CHOST-BYOS /etc is not owned by root ls -lsd etc 12 drwxr-xr-x 73 1000 users 8192 Feb 11 10:35 etc This comes from the tar files used to build the image. We will probably have to assign a CVE from our pool for this. Are these images expected to be long-running? If so we need to release an update that fixes the broken permissions on already running system.s Internal CRD: 2020-05-18 or earlier
This issue will be handled according to our disclosure policy outlined in https://en.opensuse.org/openSUSE:Security_disclosure_policy The information listed here is not public. Please - do not talk to other people about this unless they're involved in fixing the issue - do not make this bug public - do not submit this into OBS (e.g. fix Leap) until this is public In accordance with our policy we will make this issue public latest at Internal CRD: 2020-05-18 or earlier This is the latest possible date and we prefer to make it public earlier if the situation allows it. In that case we'll post a comment here setting the new date. Only a member of the security team is allowed to make this issue public. Please speak to us if you want to take part in the public disclosure. In doubt please talk to us on IRC (#security) or send us a mail (security@suse.de).
New images have been released.