11300 – davfs2 - privilege escalation (CVE-2013-4362)

Bug 11300 - davfs2 - privilege escalation (CVE-2013-4362)

Summary: davfs2 - privilege escalation (CVE-2013-4362)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/568668/
Whiteboard:	MGA2TOO has_procedure mga2-32-ok mga2...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2013-09-27 11:53 CEST by Oden Eriksson
Modified:	2013-10-11 19:36 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	davfs2
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Oden Eriksson 2013-09-27 11:53:48 CEST

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723034

"davfs2 calls function system several times. Because davfs2 is setuid
root in many cases this will allow for privilege escalation.

Appended are patches for version 1.4.6 and 1.4.7 that will fix this bug.

Note: as a consequence davfs2 will no longer try to insert required
kernel modules or create device special files /dev/fuse or /dev/codaX.
So the user has to make sure that one of these devices exists before
mounting a davfs2 file system. As far as I can see /dev/fuse is created
by default on Debian systems. davfs2 uses /dev/fuse by default (and
not /dev/codaX). So this bug fix should not cause any problem on Debian
systems."

Reproducible: 

Steps to Reproduce:

Comment 1 Oden Eriksson 2013-09-27 11:54:07 CEST

fixed packages has been submitted for all.

Comment 2 David Walser 2013-09-27 16:58:06 CEST

Advisory:
========================

Updated davfs2 package fixes security vulnerability:

Davfs2, a filesystem client for WebDAV, calls the function system() insecurely
while is setuid root. This might allow a privilege escalation (CVE-2013-4362).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4362
http://www.debian.org/security/2013/dsa-2765
========================

Updated packages in core/updates_testing:
========================
davfs2-1.4.6-1.1.mga2
davfs2-1.4.7-3.1.mga3

from SRPMS:
davfs2-1.4.6-1.1.mga2.src.rpm
davfs2-1.4.7-3.1.mga3.src.rpm

Version: 2 => 3
Assignee: bugsquad => qa-bugs
Summary: CVE-2013-4362: davfs2 - privilege escalation => davfs2 - privilege escalation (CVE-2013-4362)
Whiteboard: (none) => MGA2TOO

David Walser 2013-09-27 20:05:46 CEST

URL: http://www.debian.org/security/2013/dsa-2765 => http://lwn.net/Vulnerabilities/568668/

Comment 3 claire robinson 2013-10-10 14:16:18 CEST

Testing complete mga3 64

Installed owncloud as the webdav server, created a user/pass MrsB/mrsb and added a (somewhat classic) file to play with. Don't laugh, you'll be humming it ;)


# mkdir /mnt/testdav

# mount -t davfs http://localhost/owncloud/remote.php/webdav/ /mnt/testdav/

Please enter the username to authenticate with server
http://localhost/owncloud/remote.php/webdav/ or hit enter for none.
  Username: MrsB
Please enter the password to authenticate user MrsB with server
http://localhost/owncloud/remote.php/webdav/ or hit enter for none.
  Password:

# ls /mnt/testdav/
01 - Manhattan Transfer -  Chanson D'amour.mp3

# umount /mnt/testdav

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok

Comment 4 claire robinson 2013-10-10 14:28:40 CEST

Testing complete mga3 32

# mount -t davfs http://mega/owncloud/remote.php/webdav/ /mnt/testdav/
Please enter the username to authenticate with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Username: mrsb
Please enter the password to authenticate user mrsb with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Password:  

# ls /mnt/testdav/
02 - Demis Roussos -  Forever and Ever.mp3

Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok

Comment 5 claire robinson 2013-10-10 14:37:10 CEST

Testing complete mga2 64

# mount -t davfs2 http://mega/owncloud/remote.php/webdav/ /mnt/testdav/
Please enter the username to authenticate with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Username: MrsB
Please enter the password to authenticate user MrsB with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Password:

# ls /mnt/testdav/
03 - David Soul -  Don't Give Up on Us Baby.mp3

Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok

Comment 6 claire robinson 2013-10-10 14:51:47 CEST

Testing complete mga2 32

# mount -t davfs2 http://mega/owncloud/remote.php/webdav/ /mnt/testdav/
Please enter the username to authenticate with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Username: MrsB
Please enter the password to authenticate user MrsB with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Password:  

# ls /mnt/testdav/
06 - Baccara -  Yes Sir  I Can Boogie.mp3

Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok

Comment 7 claire robinson 2013-10-10 15:03:12 CEST

Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2013-10-11 19:36:45 CEST

Update pushed:
http://advisories.mageia.org/MGASA-2013-0304.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.