Bugzilla – Bug 1140749
VUL-1: CVE-2019-13313: libosinfo: osinfo-install-script option leaks password via command line argument
Last modified: 2020-06-12 20:54:16 UTC
rh#1727766 libosinfo 1.5.0 allows local users to discover credentials by listing a process, because credentials are passed to osinfo-install-script via the command line. Reference: https://gitlab.com/libosinfo/libosinfo/-/tags https://gitlab.com/libosinfo/libosinfo/blob/master/NEWS https://libosinfo.org/download/ https://www.redhat.com/archives/libosinfo/2019-July/msg00026.html References: https://bugzilla.redhat.com/show_bug.cgi?id=1727766 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13313 http://seclists.org/oss-sec/2019/q3/17 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13313.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13313 https://www.redhat.com/archives/libosinfo/2019-July/msg00026.html https://gitlab.com/libosinfo/libosinfo/-/tags https://gitlab.com/libosinfo/libosinfo/blob/master/NEWS https://libosinfo.org/download/
Currently, only openSUSE Factory / Tumbleweed use version 1.5.0.
also the older version pass through passwords on the commandline. that said with the small time window where this can happen there is no urgency in fixing this.
SUSE-SU-2019:2273-1: An update that solves one vulnerability and has three fixes is now available. Category: security (moderate) Bug References: 1054986,1105607,1122858,1140749 CVE References: CVE-2019-13313 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): libosinfo-0.2.12-13.3.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): libosinfo-0.2.12-13.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.