Bug 15471

Summary: autofs new security issue CVE-2014-8169
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Shlomi Fish <shlomif>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/636271/
Whiteboard:
Source RPM: autofs-5.0.7-7.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-03-11 15:41:57 CET 
OpenSuSE has issued an advisory today (March 11):
http://lists.opensuse.org/opensuse-updates/2015-03/msg00033.html

Patches checked into Cauldron SVN.  Freeze push requested.

Patches do not apply cleanly to the version we have in Mageia 4.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-11 19:19:33 CET

URL: (none) => http://lwn.net/Vulnerabilities/636271/

Comment 1 David Walser 2015-03-12 21:01:17 CET 
autofs-5.1.0-4.mga5 uploaded for Cauldron.
Sander Lepik 2015-03-14 19:32:28 CET

CC: (none) => mageia
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2015-03-15 08:48:56 CET 
(In reply to David Walser from comment #0)
> OpenSuSE has issued an advisory today (March 11):
> http://lists.opensuse.org/opensuse-updates/2015-03/msg00033.html
> 
> Patches checked into Cauldron SVN.  Freeze push requested.
> 
> Patches do not apply cleanly to the version we have in Mageia 4.
> 

Do you know if this bug happens at all in the autofs version in Mageia 4?

Regards,

-- Shlomi Fish

> Reproducible: 
> 
> Steps to Reproduce:
Comment 3 David Walser 2015-03-15 13:39:48 CET 
(In reply to Shlomi Fish from comment #2)
> Do you know if this bug happens at all in the autofs version in Mageia 4?

Why wouldn't it?  autofs 5.0.7 also supports executable automounter maps.
Comment 4 Shlomi Fish 2015-03-16 17:30:35 CET 
(In reply to David Walser from comment #3)
> (In reply to Shlomi Fish from comment #2)
> > Do you know if this bug happens at all in the autofs version in Mageia 4?
> 
> Why wouldn't it?  autofs 5.0.7 also supports executable automounter maps.

I see. Maybe we can ask upstream if they can provide an equivalent patch for autofs version 5.0.7.
Comment 5 Shlomi Fish 2015-03-21 09:19:46 CET 
Adding "NEEDHELP"/"OK" to the whiteboard.

Whiteboard: (none) => NEEDHELP OK

Comment 6 Shlomi Fish 2015-03-23 10:17:24 CET 
David:

according to the autofs README:

<QUOTE>

If you use or want to help develop autofs, please join the autofs
mailing list by sending an email to:

        majordomo@vger.kernel.org

With the body text:

        subscribe autofs

Once subscribed you can send patches to:

        autofs@vger.kernel.org

The autofs mailing list archive can be viewed on gmane:

        http://news.gmane.org/gmane.linux.kernel.autofs
        http://blog.gmane.org/gmane.linux.kernel.autofs

(END)

</QUOTE>

Now, I cannot subscribe and post there because I'm banned from the @vger.kernel.org E-mail domain. Can you please subscribe there and ask the question there?

Regards,

-- Shlomi Fish
Comment 7 David Walser 2015-04-27 16:53:59 CEST 
According to Ubuntu, the issue was introduced in 5.0.8.  5.0.7 is not affected:
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8169.html

Closing as FIXED for Cauldron.

Status: NEW => RESOLVED
Version: 4 => Cauldron
Resolution: (none) => FIXED
Whiteboard: NEEDHELP OK => (none)