useradd/groupadd report warning

Question

useradd/groupadd report warning

pawanbadganchi opened this issue 9 months ago · 9 comments

useradd/groupadd report errors as below:

We are using this shadow library in our application.
When we compile our application we get below warning in log.do_prepare_recipe_sysroot

"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)"
"configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"

above warning is observed though below CVE is already available in our code kirkstone branch.

CVE-2023-29383.patch
0001-Overhaul-valid_field.patch.

Answer 1 · 2024-02-06T13:02:34.000Z

@ikerexxe @alejandro-colomar Could you please help here?

Answer 2 · 2024-02-06T15:03:44.000Z

What are those patch names?

Also, the CVE is fixed in 4.14, right?

Answer 3 · 2024-02-06T15:19:41.000Z

We are using this shadow library in our application. When we compile our application we get below warning in log.do_prepare_recipe_sysroot

I think it would be nice to have an explanation of who you are referring to by "we". Are you referring to a well-known distribution? Or are you the developer of some homemade distribution?

CVE-2023-29383.patch 0001-Overhaul-valid_field.patch.

I don't have access to those patches. Have they been upstreamed? If so, can you provide a link their commit hashes?

Also, the CVE is fixed in 4.14, right?

Yes, so either they rebase to 4.14, or they manually port that patch.

Answer 4 · 2024-02-07T04:56:50.000Z

What are those patch names?

Also, the CVE is fixed in 4.14, right?

Patches names are below.
0001-Overhaul-valid_field.patch
CVE-2023-29383.patch

Yes it is fixed in 4.14

Below is the commit hash link.
https://git.yoctoproject.org/poky/commit/?id=ef16919e98108724ede5ad5d79e3cbab1918d6d5

In meta-openembedded mailing list discussion was happened and they merged in the upstream kirkstone and as well as in master.

https://lists.openembedded.org/g/openembedded-core/message/180212

Answer 5 · 2024-02-07T05:13:34.000Z

We are using this shadow library in our application. When we compile our application we get below warning in log.do_prepare_recipe_sysroot

I think it would be nice to have an explanation of who you are referring to by "we". Are you referring to a well-known distribution? Or are you the developer of some homemade distribution?

CVE-2023-29383.patch 0001-Overhaul-valid_field.patch.

I don't have access to those patches. Have they been upstreamed? If so, can you provide a link their commit hashes?

Also, the CVE is fixed in 4.14, right?

Yes, so either they rebase to 4.14, or they manually port that patch.

Yes i am the developer of well-known distribution.

Yes they have upstreamed and fixed in 4.14 version.
Below is the commit hash link.
https://git.yoctoproject.org/poky/commit/?id=ef16919e98108724ede5ad5d79e3cbab1918d6d5

In meta-openembedded mailing list discussion was happened and they merged in the upstream kirkstone and as well as in master.

https://lists.openembedded.org/g/openembedded-core/message/180212

Answer 6 · 2024-02-07T14:02:57.000Z

At this point I have read this topic two times and I don't understand where the problem lies. You mention two patches that I thought were missing in your distribution, but apparently they have already been backported. So, what are you looking for? Can you state the problem in another terms?

Answer 7 · 2024-02-07T14:05:28.000Z

At this point I have read this topic two times and I don't understand where the problem lies. You mention two patches that I thought were missing in your distribution, but apparently they have already been backported. So, what are you looking for? Can you state the problem in another terms?

@ikerexxe
We are using this shadow library in our application.
When we compile our application we get below warning in log.do_prepare_recipe_sysroot

Below warning is observed though below CVE is already available in our code kirkstone branch.

"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)"
"configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"

CVE-2023-29383.patch
0001-Overhaul-valid_field.patch.

what could be the reason that this warning is coming?

Answer 8 · 2024-02-08T10:54:01.000Z

Taking a look at the openembedded distribution email that you sent it seems like they have another patch to silence those warnings:

2. The fix of cve caused useradd/groupadd report errors as below:
"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)"
"configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"
so backport another patch to fix useradd/groupadd wrong paramter's issue.

However, the only other commit that is referenced is e5905c4, and from a first glance that doesn't seem to fix the issue. I'd recommend you to reply to that email to understand how they "fixed" the problem.

Answer 9 · 2024-02-08T11:02:55.000Z

Taking a look at the openembedded distribution email that you sent it seems like they have another patch to silence those warnings:
2. The fix of cve caused useradd/groupadd report errors as below:
"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)"
"configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"
so backport another patch to fix useradd/groupadd wrong paramter's issue.
However, the only other commit that is referenced is e5905c4, and from a first glance that doesn't seem to fix the issue. I'd recommend you to reply to that email to understand how they "fixed" the problem.

This is the another patch 0001-Overhaul-valid_field.patch which also have in our code but still issue is coming.
Okay will reply to that email