RedHat has issued an advisory today (November 21): https://rhn.redhat.com/errata/RHSA-2013-1732.html It was fixed upstream in the version we have in Cauldron. Patched package uploaded for Mageia 3. Note to QA: The patch includes an addition to the built-in build-time test suite to make sure the fix works correctly, and the test suite is run during our package's build. Advisory: ======================== Updated busybox packages fix security vulnerability: It was found that the mdev BusyBox utility could create certain directories within /dev with world-writable permissions. A local unprivileged user could use this flaw to manipulate portions of the /dev directory tree (CVE-2013-1813). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1813 https://rhn.redhat.com/errata/RHSA-2013-1732.html ======================== Updated packages in core/updates_testing: ======================== Wrote: /home/iurt/rpmbuild/RPMS/i586/busybox-1.20.2-2.1.mga3.i586.rpm Wrote: /home/iurt/rpmbuild/RPMS/i586/busybox-static-1.20.2-2.1.mga3.i586.rpm from busybox-1.20.2-2.1.mga3.src.rpm Reproducible: Steps to Reproduce:
Note: this issue also affects Mageia 2, which I have patched in SVN, but the package currently does not build: http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20131121151614.luigiwalser.valstar.3576/log/busybox-1.19.3-1.2.mga2/build.0.20131121151705.log This is strange, since we've previously issue an update for busybox on Mageia 2, so I don't know why it won't build now. The only thing I can think is maybe it's an issue with kernel 3.4 (the previous update was built against kernel 3.3).
CC: (none) => thierry.vignaud, tmb
URL: (none) => http://lwn.net/Vulnerabilities/574610/
In VirtualBox, M3, KDE, 32-bit Package(s) under test: busybox Default package installed: [root@localhost wilcal]# urpmi busybox Package busybox-1.20.2-2.mga3.i586 is already installed Command line functions like busybox ls, busybox vi run normally Install busybox updates from nonfree updates_testing: [root@localhost wilcal]# urpmi busybox Package busybox-1.20.2-2.1.mga3.i586 is already installed Command line functions like busybox ls, busybox vi run normally There are two additional packages in the repo: busybox-static mindi-busybox Do these need to be testing also? Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
CC: (none) => wilcal.int
As the package list shows, busybox-static is part of this update, mindi-busybox is not. The affected code is in util-linux/mdev.c. I'm not sure if there's a way to initiate this code directly. The change comes in the build_alias() function when it creates a directory, apparently doing something similar to mkdir -p where it has to create directories recursively. It fixes it to use a umask of 022 when creating the intermediate directories instead of 000.
In VirtualBox, M3, KDE, 64-bit Package(s) under test: busybox Default package installed: [root@localhost wilcal]# urpmi busybox Package busybox-1.20.2-2.mga3.x86_64 is already installed Command line functions like busybox ls, busybox vi run normally Install busybox updates from nonfree updates_testing: [root@localhost wilcal]# urpmi busybox Package busybox-1.20.2-2.1.mga3.x86_64 is already installed Command line functions like busybox ls, busybox vi run normally Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
Whiteboard: (none) => MGA3-32-OK MGA3-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Has the advisory been created for this bug?
Not yet William, check for 'advisory' tag in whiteboard. Can you please add it if you upload it Ok.
Advisory 11722.adv committed to svn. Someone from the sysadmin team please push 11722.adv to updates.
CC: (none) => davidwhodginsWhiteboard: MGA3-32-OK MGA3-64-OK => MGA3-32-OK MGA3-64-OK advisory
Update pushed: http://advisories.mageia.org/MGASA-2013-0358.html
Status: NEW => RESOLVEDResolution: (none) => FIXED