CVE-2024-2905

Original message was deleted

Noel•4/10/24, 3:16 PM

Please include all continuing conversations here regarding the new CVE.

j0rge•4/10/24, 3:16 PM

yeah we need HWE, then bazzifin, then fresh ISOs

j0rge•4/10/24, 3:17 PM

we don't need to manually kick off 38's right? leave those to the cronjob?

bsherman•4/10/24, 3:17 PM

i'm testing 38 now to know it's status for sure, but i think it was basically uneffected

bsherman•4/10/24, 3:18 PM

please start hwe 39 and 40 builds

Robert•4/10/24, 3:18 PM

HWE cron should kick off in 15 minutes, so I think we can ignore HWE to prevent double builds.

Bluefin and Bazzote looks like about 1 hour after HWE, so we can trigger that after HWE scheduled builds?

j0rge•4/10/24, 3:20 PM

How are you confirming you're on the right version

j0rge•4/10/24, 3:20 PM

can someone paste in the rpm -qa command or whatever so I can put it in the announcement?

Robert•4/10/24, 3:21 PM

bsherman ran systemctl status rpm-ostree-fix-shadow-mode.servicesystemctl status rpm-ostree-fix-shadow-mode.service. I guess they released the fix as a systemd unit

Jj0rge How are you confirming you're on the right version

bsherman•4/10/24, 3:21 PM

see my screeshot, it shows checking a status of a service which does the fix

j0rge•4/10/24, 3:21 PM

sgtm to do bluefin right after hwe, the ISOs take like 30m so firing those off asap

RRobert bsherman ran `systemctl status rpm-ostree-fix-shadow-mode.service`. I guess the...

bsherman•4/10/24, 3:21 PM

right, this service does not exist before the fixed version

j0rge•4/10/24, 3:24 PM

https://universal-blue.discourse.group/t/updates-needed-cve-2024-2905/1053 added this to the announcement with quick confirmation instructions

bsherman•4/10/24, 3:26 PM

hmmm... we need to address this for ucore too

Sharkitty•4/10/24, 3:27 PM

So for custom images based on ublue we just need to update and we'll get the fix right?

SSharkitty So for custom images based on ublue we just need to update and we'll get the fix...

bsherman•4/10/24, 3:27 PM

yes, after your respective upstream is confirmed good

so far, only the ublue-os/*-main images are fixed, not the nvidia/asus/surface/framework or bluefin/bazzite

Jj0rge <https://universal-blue.discourse.group/t/updates-needed-cve-2024-2905/1053> add...

bsherman•4/10/24, 3:30 PM

I think i need to also update for ucore, but will do so after the desktop stuff is tested

Bbsherman yes, after your respective upstream is confirmed good so far, only the ublue-os...

Sharkitty•4/10/24, 3:31 PM

If main is good it's the only I'm building atm, since my image is still a WiP I haven't introduced nvidia drivers yet. I triggered a build. Thanks you!

bsherman•4/10/24, 3:38 PM

scheduled hwe builds are in progress... i'm monitoring ...

bsherman•4/10/24, 3:38 PM

and testing F40/F38 main builds locally for confirmation of fix

bsherman•4/10/24, 3:39 PM

ohhh! F40 main does NOT have the fixed rpm-ostree yet... so... an F39 upgraded to F40 doesn't yet have the fix

Noel•4/10/24, 3:41 PM

oh boy.

Bbsherman ohhh! F40 main does NOT have the fixed rpm-ostree yet... so... an F39 upgraded t...

Noel•4/10/24, 3:41 PM

should we revise the CVE announcement?

bsherman•4/10/24, 3:42 PM

hold for confirmation plz

bsherman•4/10/24, 3:46 PM

So, this shows us the versions we should expect to contain the fix on respective releases: https://koji.fedoraproject.org/koji/packageinfo?packageID=18142

F38: rpm-ostree-2023.10-4.fc38
F39: rpm-ostree-2024.4-6.fc39
F40: rpm-ostree-2024.4-5.fc40

bsherman•4/10/24, 3:49 PM

our current F40 build has

$ rpm -q rpm-ostree
rpm-ostree-2024.4-2.fc40.x86_64

$ rpm -q rpm-ostree
rpm-ostree-2024.4-2.fc40.x86_64

so yeah, it didn't make it yet...it looks like from the koji page it's still stuck in f40-updates-testingf40-updates-testing

j0rge•4/10/24, 3:49 PM

but 39 is fine?

j0rge•4/10/24, 3:50 PM

ok rolling with bluefin then since hwe just finished

j0rge•4/10/24, 3:50 PM

can deal with 40 later, mostly want to get the ISOs refreshed for 38/39

bsherman•4/10/24, 3:50 PM

yes F39 is fine... and arguably the most important since thats where the problem occurred

bsherman•4/10/24, 3:51 PM

an F38 user MUST have installed from an F38 ISO and thus never had the vuln, even though they don't have the fixed rpm-ostree package yet, they are not vulnerable

bsherman•4/10/24, 3:51 PM

an F39 user who updates after all our builds are done today will be fine

j0rge•4/10/24, 3:51 PM

ok so really we don't need to rebuild the world, just F39 and ISOs

bsherman•4/10/24, 3:52 PM

yeah, but schedules are going to do most of it for us

j0rge•4/10/24, 3:52 PM

F40 will come whenever it comes out of testing so whatever.

bsherman•4/10/24, 3:52 PM

you can push bluefin 39 out sooner though

Jj0rge F40 will come whenever it comes out of testing so whatever.

bsherman•4/10/24, 3:52 PM

it's still beta

j0rge•4/10/24, 3:52 PM

yeah gonna get it outta the way since the ISOs take a while to build

j0rge•4/10/24, 3:52 PM

yeah I don't care about 40

Jj0rge yeah I don't care about 40

bsherman•4/10/24, 3:52 PM

ask me if i care

j0rge•4/10/24, 3:53 PM

you're on 40 you live the cron lifestyle rn.

Jj0rge you're on 40 you live the cron lifestyle rn.

Noel•4/10/24, 3:53 PM

if you're on 40, you can fix it with the manual command I posted in the announcement.

Bbsherman So, this shows us the versions we should expect to contain the fix on respective...

bsherman•4/10/24, 3:53 PM

further verification of F39 per koji and local testing:

$ rpm -q rpm-ostree
rpm-ostree-2024.4-6.fc39.x86_64

$ rpm -q rpm-ostree
rpm-ostree-2024.4-6.fc39.x86_64

Bbsherman So, this shows us the versions we should expect to contain the fix on respective...

bsherman•4/10/24, 3:54 PM

and confirmation that F38 images match expectations from koji

$ rpm -q rpm-ostree
rpm-ostree-2023.10-3.fc38.x86_64

$ rpm -q rpm-ostree
rpm-ostree-2023.10-3.fc38.x86_64

bsherman•4/10/24, 4:04 PM

with desktop stuff in a known state

i just queued builds for ucoreucore https://github.com/ublue-os/ucore/actions/

i'll find out the status before updating the announcement

bsherman•4/10/24, 4:07 PM

also, i don't know if it was mentioned here: but @Kyle Gospo stated that bazzite has build issues so those images are not getting updated now... but users can fix with the manual mitigation

bsherman•4/10/24, 4:07 PM

ucore:testing is failing for flavors w/ kmods... so i'm rebuilding ucore-kmods

j0rge•4/10/24, 4:14 PM

22/60 builders, we're looking good

bsherman•4/10/24, 4:16 PM

i need ucore-kdmods:testing to finish... probably anothe 6 minutes, then i'll re-kick ucore:testing

Dylan•4/10/24, 4:28 PM

Is this CVE just that the permissions on the shadow files are too broad? It would seem someone needs local access to abuse it and get the hashes, right?

CVE-2024-2905

Similar Threads

Similar Threads

Similar Threads