useradd/groupadd report warning

[pawanbadganchi]

useradd/groupadd report errors as below:

We are using this shadow library in our application.
When we compile our application we get below warning in log.do_prepare_recipe_sysroot

"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)"
"configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"

above warning is observed though below CVE is already available in our code kirkstone branch.

CVE-2023-29383.patch
0001-Overhaul-valid_field.patch.

[pawanbadganchi]

@ikerexxe @alejandro-colomar Could you please help here?

[alejandro-colomar]

What are those patch names?

Also, the CVE is fixed in 4.14, right?

[ikerexxe]

We are using this shadow library in our application. When we compile our application we get below warning in log.do_prepare_recipe_sysroot

I think it would be nice to have an explanation of who you are referring to by "we". Are you referring to a well-known distribution? Or are you the developer of some homemade distribution?

CVE-2023-29383.patch 0001-Overhaul-valid_field.patch.

I don't have access to those patches. Have they been upstreamed? If so, can you provide a link their commit hashes?

Also, the CVE is fixed in 4.14, right?

Yes, so either they rebase to 4.14, or they manually port that patch.

[pawanbadganchi]

What are those patch names?

Also, the CVE is fixed in 4.14, right?

Patches names are below.
0001-Overhaul-valid_field.patch
CVE-2023-29383.patch

Yes it is fixed in 4.14

Below is the commit hash link.
https://git.yoctoproject.org/poky/commit/?id=ef16919e98108724ede5ad5d79e3cbab1918d6d5

In meta-openembedded mailing list discussion was happened and they merged in the upstream kirkstone and as well as in master.

https://lists.openembedded.org/g/openembedded-core/message/180212

[pawanbadganchi]

We are using this shadow library in our application. When we compile our application we get below warning in log.do_prepare_recipe_sysroot

I think it would be nice to have an explanation of who you are referring to by "we". Are you referring to a well-known distribution? Or are you the developer of some homemade distribution?

CVE-2023-29383.patch 0001-Overhaul-valid_field.patch.

I don't have access to those patches. Have they been upstreamed? If so, can you provide a link their commit hashes?

Also, the CVE is fixed in 4.14, right?

Yes, so either they rebase to 4.14, or they manually port that patch.

Yes i am the developer of well-known distribution.

Yes they have upstreamed and fixed in 4.14 version.
Below is the commit hash link.
https://git.yoctoproject.org/poky/commit/?id=ef16919e98108724ede5ad5d79e3cbab1918d6d5

In meta-openembedded mailing list discussion was happened and they merged in the upstream kirkstone and as well as in master.

https://lists.openembedded.org/g/openembedded-core/message/180212

[ikerexxe]

At this point I have read this topic two times and I don't understand where the problem lies. You mention two patches that I thought were missing in your distribution, but apparently they have already been backported. So, what are you looking for? Can you state the problem in another terms?

[pawanbadganchi]

At this point I have read this topic two times and I don't understand where the problem lies. You mention two patches that I thought were missing in your distribution, but apparently they have already been backported. So, what are you looking for? Can you state the problem in another terms?

@ikerexxe
We are using this shadow library in our application.
When we compile our application we get below warning in log.do_prepare_recipe_sysroot

Below warning is observed though below CVE is already available in our code kirkstone branch.

"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)"
"configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"

CVE-2023-29383.patch
0001-Overhaul-valid_field.patch.

what could be the reason that this warning is coming?

[ikerexxe]

Taking a look at the openembedded distribution email that you sent it seems like they have another patch to silence those warnings:

2. The fix of cve caused useradd/groupadd report errors as below:
"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)"
"configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"
so backport another patch to fix useradd/groupadd wrong paramter's issue.

However, the only other commit that is referenced is e5905c4, and from a first glance that doesn't seem to fix the issue. I'd recommend you to reply to that email to understand how they "fixed" the problem.

[pawanbadganchi]

Taking a look at the openembedded distribution email that you sent it seems like they have another patch to silence those warnings:

2. The fix of cve caused useradd/groupadd report errors as below:
"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)"
"configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"
so backport another patch to fix useradd/groupadd wrong paramter's issue.

However, the only other commit that is referenced is e5905c4, and from a first glance that doesn't seem to fix the issue. I'd recommend you to reply to that email to understand how they "fixed" the problem.

This is the another patch 0001-Overhaul-valid_field.patch which also have in our code but still issue is coming.
Okay will reply to that email