Fix rpm-ostree CVE-2024-2905 (world-readable /etc/[g]shadow[-])

[jlebon]

• GHSA-2m76-cwhg-7wv6
• https://access.redhat.com/security/cve/CVE-2024-2905

[travier]

Some historical links for a closely related fix:

• overlay.d & tests/misc-ro: Fix and test for 664 mode for some files in /etc fedora-coreos-config#1003
• Group writable files in /etc #829

[dustymabe]

Copying some info forward:

The underlying issue is related to coreos/rpm-ostree#4503, which was first released in rpm-ostree v2023.6.

That version was never released in Fedora, but v2023.7 was first in bodhi stable in early September 2023.

Fedora CoreOS versions were affected when rpm-ostree-2023.7-1 entered our CoreOS Assembler build container. Tracing our testing-devel stream the last good and first bad were:

• 38.20230904.20.0 -> good
• 38.20230906.20.1 -> bad

So the bad version of rpm-ostree got into CoreOS Assembler ~09/06/2023. Based on this I tested and here are the last good and first bad for each of our production streams:

• stable
  • 38.20230819.3.0 -> good
  • 38.20230902.3.0 -> bad
• testing
  • 38.20230902.2.0 -> good
  • 38.20230902.2.1 -> bad
• next
  • 38.20230902.1.0 -> good
  • 38.20230902.1.1 -> bad

[dustymabe]

PRs for stable, testing-devel, and next-devel:

• [stable] overrides: fast-track rpm-ostree-2024.4-6.fc39 fedora-coreos-config#2951
• overrides: fast-track rpm-ostree-2024.4-6.fc39 fedora-coreos-config#2950
• [next-devel] overrides: fast-track rpm-ostree-2024.4-5.fc40 fedora-coreos-config#2949

[dustymabe]

The fix for this went into next stream release 40.20240408.1.0. Please try out the new release and report issues.

[dustymabe]

The fix for this went into testing stream release 39.20240407.2.0. Please try out the new release and report issues.

[dustymabe]

The fix for this went into stable stream release 39.20240322.3.1.