Bug 11300

Summary: davfs2 - privilege escalation (CVE-2013-4362)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/568668/
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Source RPM: davfs2 CVE:
Status comment:

Description Oden Eriksson 2013-09-27 11:53:48 CEST 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723034

"davfs2 calls function system several times. Because davfs2 is setuid
root in many cases this will allow for privilege escalation.

Appended are patches for version 1.4.6 and 1.4.7 that will fix this bug.

Note: as a consequence davfs2 will no longer try to insert required
kernel modules or create device special files /dev/fuse or /dev/codaX.
So the user has to make sure that one of these devices exists before
mounting a davfs2 file system. As far as I can see /dev/fuse is created
by default on Debian systems. davfs2 uses /dev/fuse by default (and
not /dev/codaX). So this bug fix should not cause any problem on Debian
systems."

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-09-27 11:54:07 CEST 
fixed packages has been submitted for all.
Comment 2 David Walser 2013-09-27 16:58:06 CEST 
Advisory:
========================

Updated davfs2 package fixes security vulnerability:

Davfs2, a filesystem client for WebDAV, calls the function system() insecurely
while is setuid root. This might allow a privilege escalation (CVE-2013-4362).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4362
http://www.debian.org/security/2013/dsa-2765
========================

Updated packages in core/updates_testing:
========================
davfs2-1.4.6-1.1.mga2
davfs2-1.4.7-3.1.mga3

from SRPMS:
davfs2-1.4.6-1.1.mga2.src.rpm
davfs2-1.4.7-3.1.mga3.src.rpm

Version: 2 => 3
Assignee: bugsquad => qa-bugs
Summary: CVE-2013-4362: davfs2 - privilege escalation => davfs2 - privilege escalation (CVE-2013-4362)
Whiteboard: (none) => MGA2TOO

David Walser 2013-09-27 20:05:46 CEST

URL: http://www.debian.org/security/2013/dsa-2765 => http://lwn.net/Vulnerabilities/568668/

Comment 3 claire robinson 2013-10-10 14:16:18 CEST 
Testing complete mga3 64

Installed owncloud as the webdav server, created a user/pass MrsB/mrsb and added a (somewhat classic) file to play with. Don't laugh, you'll be humming it ;)


# mkdir /mnt/testdav

# mount -t davfs http://localhost/owncloud/remote.php/webdav/ /mnt/testdav/

Please enter the username to authenticate with server
http://localhost/owncloud/remote.php/webdav/ or hit enter for none.
  Username: MrsB
Please enter the password to authenticate user MrsB with server
http://localhost/owncloud/remote.php/webdav/ or hit enter for none.
  Password:

# ls /mnt/testdav/
01 - Manhattan Transfer -  Chanson D'amour.mp3

# umount /mnt/testdav

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok

Comment 4 claire robinson 2013-10-10 14:28:40 CEST 
Testing complete mga3 32

# mount -t davfs http://mega/owncloud/remote.php/webdav/ /mnt/testdav/
Please enter the username to authenticate with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Username: mrsb
Please enter the password to authenticate user mrsb with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Password:  

# ls /mnt/testdav/
02 - Demis Roussos -  Forever and Ever.mp3

Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok

Comment 5 claire robinson 2013-10-10 14:37:10 CEST 
Testing complete mga2 64

# mount -t davfs2 http://mega/owncloud/remote.php/webdav/ /mnt/testdav/
Please enter the username to authenticate with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Username: MrsB
Please enter the password to authenticate user MrsB with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Password:

# ls /mnt/testdav/
03 - David Soul -  Don't Give Up on Us Baby.mp3

Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok

Comment 6 claire robinson 2013-10-10 14:51:47 CEST 
Testing complete mga2 32

# mount -t davfs2 http://mega/owncloud/remote.php/webdav/ /mnt/testdav/
Please enter the username to authenticate with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Username: MrsB
Please enter the password to authenticate user MrsB with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Password:  

# ls /mnt/testdav/
06 - Baccara -  Yes Sir  I Can Boogie.mp3

Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok

Comment 7 claire robinson 2013-10-10 15:03:12 CEST 
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2013-10-11 19:36:45 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0304.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED