powerpc-utils-devel

[Powerpc-utils-devel] submit request for CVE-2014-4040

[Jan L. <jl...@su...>]

Hi,

I attached a patch/workaround for CVE-2014-4040.

CVE is about:

snap in powerpc-utils 1.2.20 produces an archive with fstab and
yaboot.conf files potentially containing cleartext passwords, and lacks
a warning about reviewing this archive to detect included passwords,
which might allow remote attackers to obtain sensitive information by
leveraging access to a technical-support data stream.

Solution:

print a warning that confidential data may be collected via snap

Regards,
Jan Löser
-- 
--

Jan Loeser, SLE Core
„May the Force.. POWER be with you“
SUSE Linux Products GmbH - GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer
Maxfeldstraße 5, 90409 Nuernberg, Germany - HRB 16746 (AG Nuernberg)

Key Fingerprint = 3186 7823 9926 EC1D D47C  B7C3 5EA6 ADAB 261C EF76

Re: [Powerpc-utils-devel] submit request for CVE-2014-4040

[Vasant H. <heg...@li...>]

On 10/28/2014 03:55 PM, Jan Löser wrote:
> Hi,
>
> I attached a patch/workaround for CVE-2014-4040.
>
> CVE is about:
>
> snap in powerpc-utils 1.2.20 produces an archive with fstab and
> yaboot.conf files potentially containing cleartext passwords, and lacks
> a warning about reviewing this archive to detect included passwords,
> which might allow remote attackers to obtain sensitive information by
> leveraging access to a technical-support data stream.
>

We are working towards enabling distro provided data collection tool to collect 
Power specific data as well... (supportconfig from SLES12+, sosreport from 
RHEL7+, apport-collect fro Ubuntu).

Ultimate goal is to deprecate this tool.  So I think we are fine with removing 
those two files.



-Vasant