Bug 11721 - augeas new security issues CVE-2012-0786, CVE-2012-0787, CVE-2013-6412
: augeas new security issues CVE-2012-0786, CVE-2012-0787, CVE-2013-6412
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/574606/
: has_procedure mga3-32-ok mga3-64-ok a...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-21 15:58 CET by David Walser
Modified: 2014-02-12 18:45 CET (History)
9 users (show)

See Also:
Source RPM: augeas-0.10.0-7.mga3.src.rpm
CVE:
Status comment:


Attachments
examples.sh adapted from https://github.com/hercules-team/augeas/blob/master/examples/examples.sh (597 bytes, application/x-shellscript)
2014-02-12 15:55 CET, claire robinson
Details

Description David Walser 2013-11-21 15:58:08 CET
RedHat has issued an advisory today (November 21):
https://rhn.redhat.com/errata/RHSA-2013-1537.html

The issues were fixed upstream in 1.0.0, which RedHat updated to.

We have 1.1.0 in Cauldron, so it's not affected.  Mageia 2 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-22 16:05:42 CET
Removing Mageia 2 from the whiteboard due to EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Comment 2 Thomas Spuhler 2014-01-03 19:25:59 CET
I fixed this bug by upgrading to version 1.1.0 which we have in cauldron.
This makes maintaining easier than just upgrading to version 1.0.0.
This fixes Security issue CVE-2012-0786 and CVE-2012-0787
The packages are:
augeas-1.1.0-1.mga3.src.rpm
augeas-1.1.0-1.mga3.x86_64.rpm
lib64augeas-devel-1.1.0-1.mga3.x86_64.rpm
lib64augeas0-1.1.0-1.mga3.x86_64.rpm
lib64fa1-1.1.0-1.mga3.x86_64.rpm
augeas-lenses-1.1.0-1.mga3.x86_64.rpm
augeas-debuginfo-1.1.0-1.mga3.x86_64.rpm
and the same as i586.rpm
Assigning to qa-bugs@ml.mageia.org
Comment 3 David Walser 2014-01-03 19:44:22 CET
Thanks Thomas!

Advisory:
========================

Updated augeas packages fix security vulnerabilities:

Multiple flaws were found in the way Augeas handled configuration files
when updating them. An application using Augeas to update configuration
files in a directory that is writable to by a different user (for example,
an application running as root that is updating files in a directory owned
by a non-root service user) could have been tricked into overwriting
arbitrary files or leaking information via a symbolic link or mount point
attack (CVE-2012-0786, CVE-2012-0787).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0787
https://rhn.redhat.com/errata/RHSA-2013-1537.html
========================

Updated packages in core/updates_testing:
========================
augeas-1.1.0-1.mga3
libaugeas-devel-1.1.0-1.mga3
libaugeas0-1.1.0-1.mga3
libfa1-1.1.0-1.mga3
augeas-lenses-1.1.0-1.mga3
augeas-debuginfo-1.1.0-1.mga3

from augeas-1.1.0-1.mga3.src.rpm
Comment 4 Oden Eriksson 2014-01-21 14:07:46 CET
https://rhn.redhat.com/errata/RHSA-2014-0044.html

CVE-2013-6412 is fixed with augeas-1.1.0-1.1.mga3 and augeas-1.1.0-3.mga4

augeas-1.1.0-3.mga4 needs to be submitted though.
Comment 5 David Walser 2014-01-21 14:55:22 CET
Thanks Oden!  Freeze push requested for Cauldron.

Advisory:
========================

Updated augeas packages fix security vulnerabilities:

Multiple flaws were found in the way Augeas handled configuration files
when updating them. An application using Augeas to update configuration
files in a directory that is writable to by a different user (for example,
an application running as root that is updating files in a directory owned
by a non-root service user) could have been tricked into overwriting
arbitrary files or leaking information via a symbolic link or mount point
attack (CVE-2012-0786, CVE-2012-0787).

A flaw was found in the way Augeas handled certain umask settings when
creating new configuration files. This flaw could result in configuration
files being created as world writable, allowing unprivileged local users to
modify their content (CVE-2013-6412).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6412
https://rhn.redhat.com/errata/RHSA-2013-1537.html
https://rhn.redhat.com/errata/RHSA-2014-0044.html
========================

Updated packages in core/updates_testing:
========================
augeas-1.1.0-1.1.mga3
libaugeas-devel-1.1.0-1.1.mga3
libaugeas0-1.1.0-1.1.mga3
libfa1-1.1.0-1.1.mga3
augeas-lenses-1.1.0-1.1.mga3
augeas-debuginfo-1.1.0-1.1.mga3

from augeas-1.1.0-1.1.mga3.src.rpm
Comment 6 David Walser 2014-01-21 20:44:19 CET
LWN reference for CVE-2013-6412:
http://lwn.net/Vulnerabilities/581540/
Comment 7 Samuel Verschelde 2014-01-22 11:42:26 CET
This update makes augeas jump from 0.10.1 to 1.1.0 (2 releases, 2 years of development), with lots of changes. We need to be careful with testing it.

Was updating to the latest version the best way to fix the security issues?

List of dependent packages that could be affected by any regression in augeas:

$ urpmq --whatrequires-recursive libaugeas0 augeas libaugeas-devel libfa1 augeas-lenses

augeas
augeas-lenses
gnome-boxes
kolab
kolab-cli
kolab-conf
kolab-imap
kolab-mta
kolab-saslauthd
kolab-server
libaugeas-devel
libaugeas0
libfa1
libnetcf-devel
libnetcf1
libvirt-java
libvirt-java-devel
libvirt-utils
libvirt-utils
libvirt-utils
netcf
ocaml-augeas
ocaml-augeas-devel
perl-Config-Augeas
postfix-kolab
pykolab
pykolab-telemetry
pykolab-xml
python-augeas
virt-manager
wallace
Comment 8 Oden Eriksson 2014-01-23 09:43:57 CET
Name: CVE-2013-6412
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6412
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20131104
Category: 
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1034261
Reference: CONFIRM:https://github.com/hercules-team/augeas/commit/f5b4fc0c
Reference: CONFIRM:https://github.com/hercules-team/augeas/pull/58
Reference: REDHAT:RHSA-2014:0044
Reference: URL:http://rhn.redhat.com/errata/RHSA-2014-0044.html

The transform_save function in transform.c in Augeas 1.0.0 through
1.1.0 does not properly calculate the permission values when the umask
contains a "7," which causes world-writable permissions to be used for
new files and allows local users to modify the files via unspecified
vectors.
Comment 9 David Walser 2014-01-24 00:03:43 CET
augeas-1.1.0-3.mga4 uploaded for Cauldron.
Comment 10 claire robinson 2014-02-12 15:55:09 CET
Created attachment 4981 [details]
examples.sh adapted from https://github.com/hercules-team/augeas/blob/master/examples/examples.sh

Adapted the github example.sh to use system fadot.

Testing complete mga3 64

$ chmod u+x examples.sh 
$ ./examples.sh 
Example compilation complete. Results are available in directory /tmp/fadot-examples

$ ls /tmp/fadot-examples
complement.dot  concat.dot  intersect.dot  minus.dot  sample.dot  union.dot
complement.png  concat.png  intersect.png  minus.png  sample.png  union.png

$ gwenview /tmp/fadot-examples/

Viewed the png's it creates in gwenview then cleaned up with..

$ rm -rf /tmp/fadot-examples/
Comment 11 claire robinson 2014-02-12 16:00:15 CET
ALso used some commands from the augtool shell, eg help, print
Comment 12 claire robinson 2014-02-12 16:26:48 CET
Testing complete mga3 32
Comment 13 Rémi Verschelde 2014-02-12 17:51:04 CET
Advisory uploaded, please push to 3 core/updates.
Comment 14 Thomas Backlund 2014-02-12 18:45:18 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0058.html

Note You need to log in before you can comment on or make changes to this bug.