Bug 11722

Summary: busybox new security issue CVE-2013-1813
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, thierry.vignaud, tmb, wilcal.int
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/574610/
Whiteboard: MGA3-32-OK MGA3-64-OK advisory
Source RPM: busybox-1.20.2-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-11-21 16:24:58 CET 
RedHat has issued an advisory today (November 21):
https://rhn.redhat.com/errata/RHSA-2013-1732.html

It was fixed upstream in the version we have in Cauldron.

Patched package uploaded for Mageia 3.

Note to QA: The patch includes an addition to the built-in build-time test suite to make sure the fix works correctly, and the test suite is run during our package's build.

Advisory:
========================

Updated busybox packages fix security vulnerability:

It was found that the mdev BusyBox utility could create certain directories
within /dev with world-writable permissions. A local unprivileged user
could use this flaw to manipulate portions of the /dev directory tree
(CVE-2013-1813).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1813
https://rhn.redhat.com/errata/RHSA-2013-1732.html
========================

Updated packages in core/updates_testing:
========================
Wrote: /home/iurt/rpmbuild/RPMS/i586/busybox-1.20.2-2.1.mga3.i586.rpm
Wrote: /home/iurt/rpmbuild/RPMS/i586/busybox-static-1.20.2-2.1.mga3.i586.rpm

from busybox-1.20.2-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-21 16:27:39 CET 
Note: this issue also affects Mageia 2, which I have patched in SVN, but the package currently does not build:
http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20131121151614.luigiwalser.valstar.3576/log/busybox-1.19.3-1.2.mga2/build.0.20131121151705.log

This is strange, since we've previously issue an update for busybox on Mageia 2, so I don't know why it won't build now.  The only thing I can think is maybe it's an issue with kernel 3.4 (the previous update was built against kernel 3.3).

CC: (none) => thierry.vignaud, tmb

David Walser 2013-11-21 18:31:25 CET

URL: (none) => http://lwn.net/Vulnerabilities/574610/

Comment 2 William Kenney 2013-11-25 17:43:23 CET 
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
busybox

Default package installed:
[root@localhost wilcal]# urpmi busybox
Package busybox-1.20.2-2.mga3.i586 is already installed
Command line functions like busybox ls, busybox vi run normally

Install busybox updates from nonfree updates_testing:

[root@localhost wilcal]# urpmi busybox
Package busybox-1.20.2-2.1.mga3.i586 is already installed
Command line functions like busybox ls, busybox vi run normally

There are two additional packages in the repo:
busybox-static
mindi-busybox

Do these need to be testing also?


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

CC: (none) => wilcal.int

Comment 3 David Walser 2013-11-25 18:08:18 CET 
As the package list shows, busybox-static is part of this update, mindi-busybox is not.

The affected code is in util-linux/mdev.c.  I'm not sure if there's a way to initiate this code directly.  The change comes in the build_alias() function when it creates a directory, apparently doing something similar to mkdir -p where it has to create directories recursively.  It fixes it to use a umask of 022 when creating the intermediate directories instead of 000.
Comment 4 William Kenney 2013-11-26 19:18:08 CET 
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
busybox

Default package installed:
[root@localhost wilcal]# urpmi busybox
Package busybox-1.20.2-2.mga3.x86_64 is already installed
Command line functions like busybox ls, busybox vi run normally

Install busybox updates from nonfree updates_testing:

[root@localhost wilcal]# urpmi busybox
Package busybox-1.20.2-2.1.mga3.x86_64 is already installed
Command line functions like busybox ls, busybox vi run normally


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
William Kenney 2013-11-26 19:18:33 CET

Whiteboard: (none) => MGA3-32-OK MGA3-64-OK

William Kenney 2013-11-26 19:20:22 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 William Kenney 2013-11-26 19:20:58 CET 
Has the advisory been created for this bug?
Comment 6 claire robinson 2013-11-26 19:30:09 CET 
Not yet William, check for 'advisory' tag in whiteboard. Can you please add it if you upload it Ok.
Comment 7 Dave Hodgins 2013-11-26 19:55:57 CET 
Advisory 11722.adv committed to svn.

Someone from the sysadmin team please push 11722.adv to updates.

CC: (none) => davidwhodgins
Whiteboard: MGA3-32-OK MGA3-64-OK => MGA3-32-OK MGA3-64-OK advisory

Comment 8 Thomas Backlund 2013-11-30 22:46:46 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0358.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED