search

shadow-maint / shadow

Upstream shadow tree
Other
292 stars 228 forks source link

useradd/groupadd report warning #938

Open pawanbadganchi opened 7 months ago

pawanbadganchi commented 7 months ago

useradd/groupadd report errors as below:

We are using this shadow library in our application. When we compile our application we get below warning in log.do_prepare_recipe_sysroot

"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)" "configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"

above warning is observed though below CVE is already available in our code kirkstone branch.

CVE-2023-29383.patch 0001-Overhaul-valid_field.patch.

pawanbadganchi commented 7 months ago

@ikerexxe @alejandro-colomar Could you please help here?

alejandro-colomar commented 7 months ago

What are those patch names?

Also, the CVE is fixed in 4.14, right?

ikerexxe commented 7 months ago

We are using this shadow library in our application. When we compile our application we get below warning in log.do_prepare_recipe_sysroot

I think it would be nice to have an explanation of who you are referring to by "we". Are you referring to a well-known distribution? Or are you the developer of some homemade distribution?

CVE-2023-29383.patch 0001-Overhaul-valid_field.patch.

I don't have access to those patches. Have they been upstreamed? If so, can you provide a link their commit hashes?

Also, the CVE is fixed in 4.14, right?

Yes, so either they rebase to 4.14, or they manually port that patch.

pawanbadganchi commented 7 months ago

What are those patch names?

Also, the CVE is fixed in 4.14, right?

Patches names are below. 0001-Overhaul-valid_field.patch CVE-2023-29383.patch

Yes it is fixed in 4.14

Below is the commit hash link. https://git.yoctoproject.org/poky/commit/?id=ef16919e98108724ede5ad5d79e3cbab1918d6d5

In meta-openembedded mailing list discussion was happened and they merged in the upstream kirkstone and as well as in master.

https://lists.openembedded.org/g/openembedded-core/message/180212

pawanbadganchi commented 7 months ago

We are using this shadow library in our application. When we compile our application we get below warning in log.do_prepare_recipe_sysroot

I think it would be nice to have an explanation of who you are referring to by "we". Are you referring to a well-known distribution? Or are you the developer of some homemade distribution?

CVE-2023-29383.patch 0001-Overhaul-valid_field.patch.

I don't have access to those patches. Have they been upstreamed? If so, can you provide a link their commit hashes?

Also, the CVE is fixed in 4.14, right?

Yes, so either they rebase to 4.14, or they manually port that patch.

Yes i am the developer of well-known distribution.

Yes they have upstreamed and fixed in 4.14 version. Below is the commit hash link. https://git.yoctoproject.org/poky/commit/?id=ef16919e98108724ede5ad5d79e3cbab1918d6d5

In meta-openembedded mailing list discussion was happened and they merged in the upstream kirkstone and as well as in master.

https://lists.openembedded.org/g/openembedded-core/message/180212

ikerexxe commented 7 months ago

At this point I have read this topic two times and I don't understand where the problem lies. You mention two patches that I thought were missing in your distribution, but apparently they have already been backported. So, what are you looking for? Can you state the problem in another terms?

pawanbadganchi commented 7 months ago

At this point I have read this topic two times and I don't understand where the problem lies. You mention two patches that I thought were missing in your distribution, but apparently they have already been backported. So, what are you looking for? Can you state the problem in another terms?

@ikerexxe We are using this shadow library in our application. When we compile our application we get below warning in log.do_prepare_recipe_sysroot

Below warning is observed though below CVE is already available in our code kirkstone branch.

"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)" "configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"

CVE-2023-29383.patch 0001-Overhaul-valid_field.patch.

what could be the reason that this warning is coming?

ikerexxe commented 7 months ago

Taking a look at the openembedded distribution email that you sent it seems like they have another patch to silence those warnings:

2. The fix of cve caused useradd/groupadd report errors as below:
"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)"
"configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"
so backport another patch to fix useradd/groupadd wrong paramter's issue.

However, the only other commit that is referenced is https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d, and from a first glance that doesn't seem to fix the issue. I'd recommend you to reply to that email to understand how they "fixed" the problem.

pawanbadganchi commented 7 months ago

Taking a look at the openembedded distribution email that you sent it seems like they have another patch to silence those warnings:

2. The fix of cve caused useradd/groupadd report errors as below:
"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)"
"configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"
so backport another patch to fix useradd/groupadd wrong paramter's issue.

However, the only other commit that is referenced is e5905c4, and from a first glance that doesn't seem to fix the issue. I'd recommend you to reply to that email to understand how they "fixed" the problem.

This is the another patch 0001-Overhaul-valid_field.patch which also have in our code but still issue is coming. Okay will reply to that email