Bug 1163813 - (CVE-2020-8018) VUL-0: CVE-2020-8018: User owned /etc in SLES15-SP1-CHOST-BYOS
(CVE-2020-8018)
VUL-0: CVE-2020-8018: User owned /etc in SLES15-SP1-CHOST-BYOS
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Critical
: ---
Assigned To: Robert Schweikert
Marcus Schaefer
:
Depends on:
Blocks: 1160988
  Show dependency treegraph
 
Reported: 2020-02-17 09:26 UTC by Johannes Segitz
Modified: 2020-09-08 07:15 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2020-02-17 09:26:19 UTC
+++ This bug was initially created as a clone of Bug #1160988 +++

Based on the tip we got in 1160988 I checked all public cloud images. Almost all are fine, but in SUSE:SLE-15-SP1:Update:PubClouds/SLES15-SP1-CHOST-BYOS /etc is not owned by root
ls -lsd etc
12 drwxr-xr-x 73 1000 users 8192 Feb 11 10:35 etc

This comes from the tar files used to build the image.

We will probably have to assign a CVE from our pool for this. Are these images expected to be long-running? If so we need to release an update that fixes the broken permissions on already running system.s

Internal CRD: 2020-05-18 or earlier
Comment 1 Johannes Segitz 2020-02-18 08:44:25 UTC
This issue will be handled according to our disclosure policy outlined in
https://en.opensuse.org/openSUSE:Security_disclosure_policy

The information listed here is not public. Please
- do not talk to other people about this unless they're involved in fixing the issue
- do not make this bug public
- do not submit this into OBS (e.g. fix Leap) until this is public

In accordance with our policy we will make this issue public latest at
Internal CRD: 2020-05-18 or earlier
This is the latest possible date and we prefer to make it public earlier if the
situation allows it. In that case we'll post a comment here setting the new
date.

Only a member of the security team is allowed to make this issue public. Please speak
to us if you want to take part in  the public disclosure.

In doubt please talk to us on IRC (#security) or send us a mail (security@suse.de).
Comment 12 Robert Schweikert 2020-04-07 13:16:36 UTC
New images have been released.