RedHat has issued an advisory today (November 21): https://rhn.redhat.com/errata/RHSA-2013-1537.html The issues were fixed upstream in 1.0.0, which RedHat updated to. We have 1.1.0 in Cauldron, so it's not affected. Mageia 2 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => bruno, guillomovitch, joequant, thomas
Whiteboard: (none) => MGA2TOO
Status: NEW => ASSIGNED
URL: (none) => http://lwn.net/Vulnerabilities/574606/
Removing Mageia 2 from the whiteboard due to EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Whiteboard: MGA2TOO => (none)
I fixed this bug by upgrading to version 1.1.0 which we have in cauldron. This makes maintaining easier than just upgrading to version 1.0.0. This fixes Security issue CVE-2012-0786 and CVE-2012-0787 The packages are: augeas-1.1.0-1.mga3.src.rpm augeas-1.1.0-1.mga3.x86_64.rpm lib64augeas-devel-1.1.0-1.mga3.x86_64.rpm lib64augeas0-1.1.0-1.mga3.x86_64.rpm lib64fa1-1.1.0-1.mga3.x86_64.rpm augeas-lenses-1.1.0-1.mga3.x86_64.rpm augeas-debuginfo-1.1.0-1.mga3.x86_64.rpm and the same as i586.rpm Assigning to qa-bugs@ml.mageia.org
Assignee: bugsquad => qa-bugs
Thanks Thomas! Advisory: ======================== Updated augeas packages fix security vulnerabilities: Multiple flaws were found in the way Augeas handled configuration files when updating them. An application using Augeas to update configuration files in a directory that is writable to by a different user (for example, an application running as root that is updating files in a directory owned by a non-root service user) could have been tricked into overwriting arbitrary files or leaking information via a symbolic link or mount point attack (CVE-2012-0786, CVE-2012-0787). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0786 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0787 https://rhn.redhat.com/errata/RHSA-2013-1537.html ======================== Updated packages in core/updates_testing: ======================== augeas-1.1.0-1.mga3 libaugeas-devel-1.1.0-1.mga3 libaugeas0-1.1.0-1.mga3 libfa1-1.1.0-1.mga3 augeas-lenses-1.1.0-1.mga3 augeas-debuginfo-1.1.0-1.mga3 from augeas-1.1.0-1.mga3.src.rpm
https://rhn.redhat.com/errata/RHSA-2014-0044.html CVE-2013-6412 is fixed with augeas-1.1.0-1.1.mga3 and augeas-1.1.0-3.mga4 augeas-1.1.0-3.mga4 needs to be submitted though.
CC: (none) => oeSummary: augeas new security issues CVE-2012-0786 and CVE-2012-0787 => augeas new security issues CVE-2012-0786, CVE-2012-0787, CVE-2013-6412
Thanks Oden! Freeze push requested for Cauldron. Advisory: ======================== Updated augeas packages fix security vulnerabilities: Multiple flaws were found in the way Augeas handled configuration files when updating them. An application using Augeas to update configuration files in a directory that is writable to by a different user (for example, an application running as root that is updating files in a directory owned by a non-root service user) could have been tricked into overwriting arbitrary files or leaking information via a symbolic link or mount point attack (CVE-2012-0786, CVE-2012-0787). A flaw was found in the way Augeas handled certain umask settings when creating new configuration files. This flaw could result in configuration files being created as world writable, allowing unprivileged local users to modify their content (CVE-2013-6412). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0786 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0787 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6412 https://rhn.redhat.com/errata/RHSA-2013-1537.html https://rhn.redhat.com/errata/RHSA-2014-0044.html ======================== Updated packages in core/updates_testing: ======================== augeas-1.1.0-1.1.mga3 libaugeas-devel-1.1.0-1.1.mga3 libaugeas0-1.1.0-1.1.mga3 libfa1-1.1.0-1.1.mga3 augeas-lenses-1.1.0-1.1.mga3 augeas-debuginfo-1.1.0-1.1.mga3 from augeas-1.1.0-1.1.mga3.src.rpm
LWN reference for CVE-2013-6412: http://lwn.net/Vulnerabilities/581540/
This update makes augeas jump from 0.10.1 to 1.1.0 (2 releases, 2 years of development), with lots of changes. We need to be careful with testing it. Was updating to the latest version the best way to fix the security issues? List of dependent packages that could be affected by any regression in augeas: $ urpmq --whatrequires-recursive libaugeas0 augeas libaugeas-devel libfa1 augeas-lenses augeas augeas-lenses gnome-boxes kolab kolab-cli kolab-conf kolab-imap kolab-mta kolab-saslauthd kolab-server libaugeas-devel libaugeas0 libfa1 libnetcf-devel libnetcf1 libvirt-java libvirt-java-devel libvirt-utils libvirt-utils libvirt-utils netcf ocaml-augeas ocaml-augeas-devel perl-Config-Augeas postfix-kolab pykolab pykolab-telemetry pykolab-xml python-augeas virt-manager wallace
CC: (none) => stormi
Name: CVE-2013-6412 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6412 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131104 Category: Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1034261 Reference: CONFIRM:https://github.com/hercules-team/augeas/commit/f5b4fc0c Reference: CONFIRM:https://github.com/hercules-team/augeas/pull/58 Reference: REDHAT:RHSA-2014:0044 Reference: URL:http://rhn.redhat.com/errata/RHSA-2014-0044.html The transform_save function in transform.c in Augeas 1.0.0 through 1.1.0 does not properly calculate the permission values when the umask contains a "7," which causes world-writable permissions to be used for new files and allows local users to modify the files via unspecified vectors.
augeas-1.1.0-3.mga4 uploaded for Cauldron.
Created attachment 4981 [details] examples.sh adapted from https://github.com/hercules-team/augeas/blob/master/examples/examples.sh Adapted the github example.sh to use system fadot. Testing complete mga3 64 $ chmod u+x examples.sh $ ./examples.sh Example compilation complete. Results are available in directory /tmp/fadot-examples $ ls /tmp/fadot-examples complement.dot concat.dot intersect.dot minus.dot sample.dot union.dot complement.png concat.png intersect.png minus.png sample.png union.png $ gwenview /tmp/fadot-examples/ Viewed the png's it creates in gwenview then cleaned up with.. $ rm -rf /tmp/fadot-examples/
Whiteboard: (none) => has_procedure mga3-64-ok
ALso used some commands from the augtool shell, eg help, print
Testing complete mga3 32
Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-32-ok mga3-64-ok
Advisory uploaded, please push to 3 core/updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure mga3-32-ok mga3-64-ok advisoryCC: (none) => remi, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0058.html
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED