A libeconf, shadow and util-linux security update has been released for openSUSE Leap 15.3.

openSUSE-SU-2022:0727-1: moderate: Security update for libeconf, shadow and util-linux

openSUSE Security Update: Security update for libeconf, shadow and util-linux
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:0727-1
Rating: moderate
References: #1188507 #1192954 #1193632 #1194976 SLE-23384
SLE-23402
Cross-References: CVE-2021-3995 CVE-2021-3996
CVSS scores:
CVE-2021-3995 (SUSE): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2021-3996 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________

An update that solves two vulnerabilities, contains two
features and has two fixes is now available.

Description:

This security update for libeconf, shadow and util-linux fix the following
issues:

libeconf:

- Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by
'util-linux' and 'shadow' to fix autoyast handling of security related
parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

Issues fixed in libeconf:
- Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)
- Fixed different issues while writing string values to file.
- Writing comments to file too.
- Fixed crash while merging values.
- Added econftool cat option (#146)
- new API call: econf_readDirsHistory (showing ALL locations)
- new API call: econf_getPath (absolute path of the configuration file)
- Man pages libeconf.3 and econftool.8.
- Handling multiline strings.
- Added libeconf_ext which returns more information like line_nr,
comments, path of the configuration file,...
- Econftool, an command line interface for handling configuration files.
- Generating HTML API documentation with doxygen.
- Improving error handling and semantic file check.
- Joining entries with the same key to one single entry if env variable
ECONF_JOIN_SAME_ENTRIES has been set.

shadow:

- The legacy code does not support /etc/login.defs.d used by YaST. Enable
libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

util-linux:

- The legacy code does not support /etc/login.defs.d used by YaST. Enable
libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
- Allow use of larger values for start sector to prevent `blockdev
--report` aborting (bsc#1188507)
- Fixed `blockdev --report` using non-space characters as a field
separator (bsc#1188507)
- CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount.
(bsc#1194976)
- CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount.
(bsc#1194976)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.3:

zypper in -t patch openSUSE-SLE-15.3-2022-727=1


Package List:

- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

libblkid-devel-2.36.2-150300.4.14.3
libblkid-devel-static-2.36.2-150300.4.14.3
libblkid1-2.36.2-150300.4.14.3
libblkid1-debuginfo-2.36.2-150300.4.14.3
libeconf-debugsource-0.4.4+git20220104.962774f-150300.3.6.2
libeconf-devel-0.4.4+git20220104.962774f-150300.3.6.2
libeconf0-0.4.4+git20220104.962774f-150300.3.6.2
libeconf0-debuginfo-0.4.4+git20220104.962774f-150300.3.6.2
libfdisk-devel-2.36.2-150300.4.14.3
libfdisk-devel-static-2.36.2-150300.4.14.3
libfdisk1-2.36.2-150300.4.14.3
libfdisk1-debuginfo-2.36.2-150300.4.14.3
libmount-devel-2.36.2-150300.4.14.3
libmount-devel-static-2.36.2-150300.4.14.3
libmount1-2.36.2-150300.4.14.3
libmount1-debuginfo-2.36.2-150300.4.14.3
libsmartcols-devel-2.36.2-150300.4.14.3
libsmartcols-devel-static-2.36.2-150300.4.14.3
libsmartcols1-2.36.2-150300.4.14.3
libsmartcols1-debuginfo-2.36.2-150300.4.14.3
libuuid-devel-2.36.2-150300.4.14.3
libuuid-devel-static-2.36.2-150300.4.14.3
libuuid1-2.36.2-150300.4.14.3
libuuid1-debuginfo-2.36.2-150300.4.14.3
python3-libmount-2.36.2-150300.4.14.2
python3-libmount-debuginfo-2.36.2-150300.4.14.2
python3-libmount-debugsource-2.36.2-150300.4.14.2
shadow-4.8.1-150300.4.3.8
shadow-debuginfo-4.8.1-150300.4.3.8
shadow-debugsource-4.8.1-150300.4.3.8
util-linux-2.36.2-150300.4.14.3
util-linux-debuginfo-2.36.2-150300.4.14.3
util-linux-debugsource-2.36.2-150300.4.14.3
util-linux-systemd-2.36.2-150300.4.14.2
util-linux-systemd-debuginfo-2.36.2-150300.4.14.2
util-linux-systemd-debugsource-2.36.2-150300.4.14.2
uuidd-2.36.2-150300.4.14.2
uuidd-debuginfo-2.36.2-150300.4.14.2

- openSUSE Leap 15.3 (x86_64):

libblkid-devel-32bit-2.36.2-150300.4.14.3
libblkid1-32bit-2.36.2-150300.4.14.3
libblkid1-32bit-debuginfo-2.36.2-150300.4.14.3
libeconf0-32bit-0.4.4+git20220104.962774f-150300.3.6.2
libeconf0-32bit-debuginfo-0.4.4+git20220104.962774f-150300.3.6.2
libfdisk-devel-32bit-2.36.2-150300.4.14.3
libfdisk1-32bit-2.36.2-150300.4.14.3
libfdisk1-32bit-debuginfo-2.36.2-150300.4.14.3
libmount-devel-32bit-2.36.2-150300.4.14.3
libmount1-32bit-2.36.2-150300.4.14.3
libmount1-32bit-debuginfo-2.36.2-150300.4.14.3
libsmartcols-devel-32bit-2.36.2-150300.4.14.3
libsmartcols1-32bit-2.36.2-150300.4.14.3
libsmartcols1-32bit-debuginfo-2.36.2-150300.4.14.3
libuuid-devel-32bit-2.36.2-150300.4.14.3
libuuid1-32bit-2.36.2-150300.4.14.3
libuuid1-32bit-debuginfo-2.36.2-150300.4.14.3

- openSUSE Leap 15.3 (noarch):

login_defs-4.8.1-150300.4.3.8
util-linux-lang-2.36.2-150300.4.14.3

References:

  https://www.suse.com/security/cve/CVE-2021-3995.html
  https://www.suse.com/security/cve/CVE-2021-3996.html
  https://bugzilla.suse.com/1188507
  https://bugzilla.suse.com/1192954
  https://bugzilla.suse.com/1193632
  https://bugzilla.suse.com/1194976