http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723034 "davfs2 calls function system several times. Because davfs2 is setuid root in many cases this will allow for privilege escalation. Appended are patches for version 1.4.6 and 1.4.7 that will fix this bug. Note: as a consequence davfs2 will no longer try to insert required kernel modules or create device special files /dev/fuse or /dev/codaX. So the user has to make sure that one of these devices exists before mounting a davfs2 file system. As far as I can see /dev/fuse is created by default on Debian systems. davfs2 uses /dev/fuse by default (and not /dev/codaX). So this bug fix should not cause any problem on Debian systems." Reproducible: Steps to Reproduce:
fixed packages has been submitted for all.
Advisory: ======================== Updated davfs2 package fixes security vulnerability: Davfs2, a filesystem client for WebDAV, calls the function system() insecurely while is setuid root. This might allow a privilege escalation (CVE-2013-4362). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4362 http://www.debian.org/security/2013/dsa-2765 ======================== Updated packages in core/updates_testing: ======================== davfs2-1.4.6-1.1.mga2 davfs2-1.4.7-3.1.mga3 from SRPMS: davfs2-1.4.6-1.1.mga2.src.rpm davfs2-1.4.7-3.1.mga3.src.rpm
Version: 2 => 3Assignee: bugsquad => qa-bugsSummary: CVE-2013-4362: davfs2 - privilege escalation => davfs2 - privilege escalation (CVE-2013-4362)Whiteboard: (none) => MGA2TOO
URL: http://www.debian.org/security/2013/dsa-2765 => http://lwn.net/Vulnerabilities/568668/
Testing complete mga3 64 Installed owncloud as the webdav server, created a user/pass MrsB/mrsb and added a (somewhat classic) file to play with. Don't laugh, you'll be humming it ;) # mkdir /mnt/testdav # mount -t davfs http://localhost/owncloud/remote.php/webdav/ /mnt/testdav/ Please enter the username to authenticate with server http://localhost/owncloud/remote.php/webdav/ or hit enter for none. Username: MrsB Please enter the password to authenticate user MrsB with server http://localhost/owncloud/remote.php/webdav/ or hit enter for none. Password: # ls /mnt/testdav/ 01 - Manhattan Transfer - Chanson D'amour.mp3 # umount /mnt/testdav
Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok
Testing complete mga3 32 # mount -t davfs http://mega/owncloud/remote.php/webdav/ /mnt/testdav/ Please enter the username to authenticate with server http://mega/owncloud/remote.php/webdav/ or hit enter for none. Username: mrsb Please enter the password to authenticate user mrsb with server http://mega/owncloud/remote.php/webdav/ or hit enter for none. Password: # ls /mnt/testdav/ 02 - Demis Roussos - Forever and Ever.mp3
Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete mga2 64 # mount -t davfs2 http://mega/owncloud/remote.php/webdav/ /mnt/testdav/ Please enter the username to authenticate with server http://mega/owncloud/remote.php/webdav/ or hit enter for none. Username: MrsB Please enter the password to authenticate user MrsB with server http://mega/owncloud/remote.php/webdav/ or hit enter for none. Password: # ls /mnt/testdav/ 03 - David Soul - Don't Give Up on Us Baby.mp3
Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok
Testing complete mga2 32 # mount -t davfs2 http://mega/owncloud/remote.php/webdav/ /mnt/testdav/ Please enter the username to authenticate with server http://mega/owncloud/remote.php/webdav/ or hit enter for none. Username: MrsB Please enter the password to authenticate user MrsB with server http://mega/owncloud/remote.php/webdav/ or hit enter for none. Password: # ls /mnt/testdav/ 06 - Baccara - Yes Sir I Can Boogie.mp3
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Validating. Advisory uploaded. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0304.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED