Bug 1203852 - (CVE-2022-3287) VUL-0: CVE-2022-3287: fwupd: world readable password in /etc/fwupd/redfish.conf
(CVE-2022-3287)
VUL-0: CVE-2022-3287: fwupd: world readable password in /etc/fwupd/redfish.conf
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Dominique Leuenberger
Security Team bot
https://smash.suse.de/issue/343745/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-28 15:09 UTC by Thomas Leroy
Modified: 2023-01-17 20:36 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-09-28 15:09:10 UTC
rh#2129904

When the redfish plugin automatically creates an OPERATOR user account on the BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it is chmod'ed to 0660 before writing the file with g_key_file_save_to_file(). The GLib in RHEL 9 versions instead calls g_file_set_contents_full() with the mode hardcoded to 0666, which undoes the previous chmod().

Upstream fix:
https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2129904
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3287
Comment 1 Thomas Leroy 2022-09-28 15:09:56 UTC
Buggy feature adde in 1.7.4, SUSE codestreams are not affected.

openSUSE:Factory affected
Comment 2 Bjørn Lie 2022-09-30 19:37:37 UTC
Fixed in sr

https://build.opensuse.org/request/show/1006595

on its way to factory
Comment 3 Bjørn Lie 2022-09-30 19:37:38 UTC
Fixed in sr

https://build.opensuse.org/request/show/1006595

on its way to factory