Summary
A security vulnerability has been discovered within rpm-ostree. Affected versions created the /etc/shadow and /etc/gshadow files with the world-readable bit enabled. With permissions set at a higher than recommended level, sensitive authentication data may be exposed to unauthorized access.
Impact
This issue occurs only on systems which were installed from Fedora 39 installers (this includes Silverblue, Kinoite, Sericea, Bluefin, Bazzite; any upstream Fedora Atomic installer, Universal Blue installer, or Fedora CoreOS installer). If you installed from Fedora 38 and upgraded to a Fedora 39 based image, you are not affected.
Resolution
The Universal Blue Team is actively working on updating our images to include the fix that is provided by the fixed version of rpm-ostree.
Solution 1
Update your system as soon as the fix is confirmed in our base images. This will patch any existing downstream installation: Bazzite, Bluefin, Aurora, Universal Blue main or ucore images.
Solution 2
If you do not wish to wait for an update in our base images, or do not want to reboot to fix, you may manually implement the fix as recommended in: World-readable /etc/shadow, /etc/shadow-, /etc/gshadow, /etc/gshadow- · Advisory · coreos/rpm-ostree · GitHub .
sudo chmod --verbose 0000 /etc/shadow /etc/gshadow /etc/shadow- /etc/gshadow-
Custom Images
If you are using a custom image that derives from Universal Blue you’ll need to kick off a rebuild to ensure you’re image is updated.
Confirming the fix
Testing so far shows that running the update is sufficient. You can run a systemctl status rpm-ostree-fix-shadow-mode.service to confirm:
Additional Information
Official CVE from Red Hat: cve-details
Advisory from CoreOS: World-readable /etc/shadow, /etc/shadow-, /etc/gshadow, /etc/gshadow- · Advisory · coreos/rpm-ostree · GitHub