11721 – augeas new security issues CVE-2012-0786, CVE-2012-0787, CVE-2013-6412

Bug 11721 - augeas new security issues CVE-2012-0786, CVE-2012-0787, CVE-2013-6412

Summary: augeas new security issues CVE-2012-0786, CVE-2012-0787, CVE-2013-6412

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/574606/
Whiteboard:	has_procedure mga3-32-ok mga3-64-ok a...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2013-11-21 15:58 CET by David Walser
Modified:	2014-02-12 18:45 CET (History)
CC List:	9 users (show)

See Also:
Source RPM:	augeas-0.10.0-7.mga3.src.rpm
CVE:
Status comment:

Attachments
examples.sh adapted from https://github.com/hercules-team/augeas/blob/master/examples/examples.sh (597 bytes, application/x-shellscript) 2014-02-12 15:55 CET, claire robinson	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-11-21 15:58:08 CET

RedHat has issued an advisory today (November 21):
https://rhn.redhat.com/errata/RHSA-2013-1537.html

The issues were fixed upstream in 1.0.0, which RedHat updated to.

We have 1.1.0 in Cauldron, so it's not affected.  Mageia 2 is also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2013-11-21 15:58:32 CET

CC: (none) => bruno, guillomovitch, joequant, thomas

David Walser 2013-11-21 15:58:37 CET

Whiteboard: (none) => MGA2TOO

Thomas Spuhler 2013-11-21 18:16:29 CET

Status: NEW => ASSIGNED

David Walser 2013-11-21 18:31:16 CET

URL: (none) => http://lwn.net/Vulnerabilities/574606/

Comment 1 David Walser 2013-11-22 16:05:42 CET

Removing Mageia 2 from the whiteboard due to EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

Whiteboard: MGA2TOO => (none)

Comment 2 Thomas Spuhler 2014-01-03 19:25:59 CET

I fixed this bug by upgrading to version 1.1.0 which we have in cauldron.
This makes maintaining easier than just upgrading to version 1.0.0.
This fixes Security issue CVE-2012-0786 and CVE-2012-0787
The packages are:
augeas-1.1.0-1.mga3.src.rpm
augeas-1.1.0-1.mga3.x86_64.rpm
lib64augeas-devel-1.1.0-1.mga3.x86_64.rpm
lib64augeas0-1.1.0-1.mga3.x86_64.rpm
lib64fa1-1.1.0-1.mga3.x86_64.rpm
augeas-lenses-1.1.0-1.mga3.x86_64.rpm
augeas-debuginfo-1.1.0-1.mga3.x86_64.rpm
and the same as i586.rpm
Assigning to qa-bugs@ml.mageia.org

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2014-01-03 19:44:22 CET

Thanks Thomas!

Advisory:
========================

Updated augeas packages fix security vulnerabilities:

Multiple flaws were found in the way Augeas handled configuration files
when updating them. An application using Augeas to update configuration
files in a directory that is writable to by a different user (for example,
an application running as root that is updating files in a directory owned
by a non-root service user) could have been tricked into overwriting
arbitrary files or leaking information via a symbolic link or mount point
attack (CVE-2012-0786, CVE-2012-0787).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0787
https://rhn.redhat.com/errata/RHSA-2013-1537.html
========================

Updated packages in core/updates_testing:
========================
augeas-1.1.0-1.mga3
libaugeas-devel-1.1.0-1.mga3
libaugeas0-1.1.0-1.mga3
libfa1-1.1.0-1.mga3
augeas-lenses-1.1.0-1.mga3
augeas-debuginfo-1.1.0-1.mga3

from augeas-1.1.0-1.mga3.src.rpm

Comment 4 Oden Eriksson 2014-01-21 14:07:46 CET

https://rhn.redhat.com/errata/RHSA-2014-0044.html

CVE-2013-6412 is fixed with augeas-1.1.0-1.1.mga3 and augeas-1.1.0-3.mga4

augeas-1.1.0-3.mga4 needs to be submitted though.

CC: (none) => oe
Summary: augeas new security issues CVE-2012-0786 and CVE-2012-0787 => augeas new security issues CVE-2012-0786, CVE-2012-0787, CVE-2013-6412

Comment 5 David Walser 2014-01-21 14:55:22 CET

Thanks Oden!  Freeze push requested for Cauldron.

Advisory:
========================

Updated augeas packages fix security vulnerabilities:

Multiple flaws were found in the way Augeas handled configuration files
when updating them. An application using Augeas to update configuration
files in a directory that is writable to by a different user (for example,
an application running as root that is updating files in a directory owned
by a non-root service user) could have been tricked into overwriting
arbitrary files or leaking information via a symbolic link or mount point
attack (CVE-2012-0786, CVE-2012-0787).

A flaw was found in the way Augeas handled certain umask settings when
creating new configuration files. This flaw could result in configuration
files being created as world writable, allowing unprivileged local users to
modify their content (CVE-2013-6412).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6412
https://rhn.redhat.com/errata/RHSA-2013-1537.html
https://rhn.redhat.com/errata/RHSA-2014-0044.html
========================

Updated packages in core/updates_testing:
========================
augeas-1.1.0-1.1.mga3
libaugeas-devel-1.1.0-1.1.mga3
libaugeas0-1.1.0-1.1.mga3
libfa1-1.1.0-1.1.mga3
augeas-lenses-1.1.0-1.1.mga3
augeas-debuginfo-1.1.0-1.1.mga3

from augeas-1.1.0-1.1.mga3.src.rpm

Comment 6 David Walser 2014-01-21 20:44:19 CET

LWN reference for CVE-2013-6412:
http://lwn.net/Vulnerabilities/581540/

Comment 7 Samuel Verschelde 2014-01-22 11:42:26 CET

This update makes augeas jump from 0.10.1 to 1.1.0 (2 releases, 2 years of development), with lots of changes. We need to be careful with testing it.

Was updating to the latest version the best way to fix the security issues?

List of dependent packages that could be affected by any regression in augeas:

$ urpmq --whatrequires-recursive libaugeas0 augeas libaugeas-devel libfa1 augeas-lenses

augeas
augeas-lenses
gnome-boxes
kolab
kolab-cli
kolab-conf
kolab-imap
kolab-mta
kolab-saslauthd
kolab-server
libaugeas-devel
libaugeas0
libfa1
libnetcf-devel
libnetcf1
libvirt-java
libvirt-java-devel
libvirt-utils
libvirt-utils
libvirt-utils
netcf
ocaml-augeas
ocaml-augeas-devel
perl-Config-Augeas
postfix-kolab
pykolab
pykolab-telemetry
pykolab-xml
python-augeas
virt-manager
wallace

CC: (none) => stormi

Comment 8 Oden Eriksson 2014-01-23 09:43:57 CET

Name: CVE-2013-6412
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6412
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20131104
Category: 
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1034261
Reference: CONFIRM:https://github.com/hercules-team/augeas/commit/f5b4fc0c
Reference: CONFIRM:https://github.com/hercules-team/augeas/pull/58
Reference: REDHAT:RHSA-2014:0044
Reference: URL:http://rhn.redhat.com/errata/RHSA-2014-0044.html

The transform_save function in transform.c in Augeas 1.0.0 through
1.1.0 does not properly calculate the permission values when the umask
contains a "7," which causes world-writable permissions to be used for
new files and allows local users to modify the files via unspecified
vectors.

Comment 9 David Walser 2014-01-24 00:03:43 CET

augeas-1.1.0-3.mga4 uploaded for Cauldron.

Comment 10 claire robinson 2014-02-12 15:55:09 CET

Created attachment 4981 [details]
examples.sh adapted from https://github.com/hercules-team/augeas/blob/master/examples/examples.sh

Adapted the github example.sh to use system fadot.

Testing complete mga3 64

$ chmod u+x examples.sh 
$ ./examples.sh 
Example compilation complete. Results are available in directory /tmp/fadot-examples

$ ls /tmp/fadot-examples
complement.dot  concat.dot  intersect.dot  minus.dot  sample.dot  union.dot
complement.png  concat.png  intersect.png  minus.png  sample.png  union.png

$ gwenview /tmp/fadot-examples/

Viewed the png's it creates in gwenview then cleaned up with..

$ rm -rf /tmp/fadot-examples/

claire robinson 2014-02-12 15:55:46 CET

Whiteboard: (none) => has_procedure mga3-64-ok

Comment 11 claire robinson 2014-02-12 16:00:15 CET

ALso used some commands from the augtool shell, eg help, print

Comment 12 claire robinson 2014-02-12 16:26:48 CET

Testing complete mga3 32

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-32-ok mga3-64-ok

Comment 13 Rémi Verschelde 2014-02-12 17:51:04 CET

Advisory uploaded, please push to 3 core/updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure mga3-32-ok mga3-64-ok advisory
CC: (none) => remi, sysadmin-bugs

Comment 14 Thomas Backlund 2014-02-12 18:45:18 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0058.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.