Bug 11300 - davfs2 - privilege escalation (CVE-2013-4362)
: davfs2 - privilege escalation (CVE-2013-4362)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/568668/
: MGA2TOO has_procedure mga2-32-ok mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-27 11:53 CEST by Oden Eriksson
Modified: 2013-10-11 19:36 CEST (History)
2 users (show)

See Also:
Source RPM: davfs2
CVE:
Status comment:


Attachments

Description Oden Eriksson 2013-09-27 11:53:48 CEST
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723034

"davfs2 calls function system several times. Because davfs2 is setuid
root in many cases this will allow for privilege escalation.

Appended are patches for version 1.4.6 and 1.4.7 that will fix this bug.

Note: as a consequence davfs2 will no longer try to insert required
kernel modules or create device special files /dev/fuse or /dev/codaX.
So the user has to make sure that one of these devices exists before
mounting a davfs2 file system. As far as I can see /dev/fuse is created
by default on Debian systems. davfs2 uses /dev/fuse by default (and
not /dev/codaX). So this bug fix should not cause any problem on Debian
systems."

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-09-27 11:54:07 CEST
fixed packages has been submitted for all.
Comment 2 David Walser 2013-09-27 16:58:06 CEST
Advisory:
========================

Updated davfs2 package fixes security vulnerability:

Davfs2, a filesystem client for WebDAV, calls the function system() insecurely
while is setuid root. This might allow a privilege escalation (CVE-2013-4362).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4362
http://www.debian.org/security/2013/dsa-2765
========================

Updated packages in core/updates_testing:
========================
davfs2-1.4.6-1.1.mga2
davfs2-1.4.7-3.1.mga3

from SRPMS:
davfs2-1.4.6-1.1.mga2.src.rpm
davfs2-1.4.7-3.1.mga3.src.rpm
Comment 3 claire robinson 2013-10-10 14:16:18 CEST
Testing complete mga3 64

Installed owncloud as the webdav server, created a user/pass MrsB/mrsb and added a (somewhat classic) file to play with. Don't laugh, you'll be humming it ;)


# mkdir /mnt/testdav

# mount -t davfs http://localhost/owncloud/remote.php/webdav/ /mnt/testdav/

Please enter the username to authenticate with server
http://localhost/owncloud/remote.php/webdav/ or hit enter for none.
  Username: MrsB
Please enter the password to authenticate user MrsB with server
http://localhost/owncloud/remote.php/webdav/ or hit enter for none.
  Password:

# ls /mnt/testdav/
01 - Manhattan Transfer -  Chanson D'amour.mp3

# umount /mnt/testdav
Comment 4 claire robinson 2013-10-10 14:28:40 CEST
Testing complete mga3 32

# mount -t davfs http://mega/owncloud/remote.php/webdav/ /mnt/testdav/
Please enter the username to authenticate with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Username: mrsb
Please enter the password to authenticate user mrsb with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Password:  

# ls /mnt/testdav/
02 - Demis Roussos -  Forever and Ever.mp3
Comment 5 claire robinson 2013-10-10 14:37:10 CEST
Testing complete mga2 64

# mount -t davfs2 http://mega/owncloud/remote.php/webdav/ /mnt/testdav/
Please enter the username to authenticate with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Username: MrsB
Please enter the password to authenticate user MrsB with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Password:

# ls /mnt/testdav/
03 - David Soul -  Don't Give Up on Us Baby.mp3
Comment 6 claire robinson 2013-10-10 14:51:47 CEST
Testing complete mga2 32

# mount -t davfs2 http://mega/owncloud/remote.php/webdav/ /mnt/testdav/
Please enter the username to authenticate with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Username: MrsB
Please enter the password to authenticate user MrsB with server
http://mega/owncloud/remote.php/webdav/ or hit enter for none.
  Password:  

# ls /mnt/testdav/
06 - Baccara -  Yes Sir  I Can Boogie.mp3
Comment 7 claire robinson 2013-10-10 15:03:12 CEST
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 8 Thomas Backlund 2013-10-11 19:36:45 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0304.html

Note You need to log in before you can comment on or make changes to this bug.