11722 – busybox new security issue CVE-2013-1813

Bug 11722 - busybox new security issue CVE-2013-1813

Summary: busybox new security issue CVE-2013-1813

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/574610/
Whiteboard:	MGA3-32-OK MGA3-64-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2013-11-21 16:24 CET by David Walser
Modified:	2013-11-30 22:46 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	busybox-1.20.2-2.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-11-21 16:24:58 CET

RedHat has issued an advisory today (November 21):
https://rhn.redhat.com/errata/RHSA-2013-1732.html

It was fixed upstream in the version we have in Cauldron.

Patched package uploaded for Mageia 3.

Note to QA: The patch includes an addition to the built-in build-time test suite to make sure the fix works correctly, and the test suite is run during our package's build.

Advisory:
========================

Updated busybox packages fix security vulnerability:

It was found that the mdev BusyBox utility could create certain directories
within /dev with world-writable permissions. A local unprivileged user
could use this flaw to manipulate portions of the /dev directory tree
(CVE-2013-1813).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1813
https://rhn.redhat.com/errata/RHSA-2013-1732.html
========================

Updated packages in core/updates_testing:
========================
Wrote: /home/iurt/rpmbuild/RPMS/i586/busybox-1.20.2-2.1.mga3.i586.rpm
Wrote: /home/iurt/rpmbuild/RPMS/i586/busybox-static-1.20.2-2.1.mga3.i586.rpm

from busybox-1.20.2-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2013-11-21 16:27:39 CET

Note: this issue also affects Mageia 2, which I have patched in SVN, but the package currently does not build:
http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20131121151614.luigiwalser.valstar.3576/log/busybox-1.19.3-1.2.mga2/build.0.20131121151705.log

This is strange, since we've previously issue an update for busybox on Mageia 2, so I don't know why it won't build now.  The only thing I can think is maybe it's an issue with kernel 3.4 (the previous update was built against kernel 3.3).

CC: (none) => thierry.vignaud, tmb

David Walser 2013-11-21 18:31:25 CET

URL: (none) => http://lwn.net/Vulnerabilities/574610/

Comment 2 William Kenney 2013-11-25 17:43:23 CET

In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
busybox

Default package installed:
[root@localhost wilcal]# urpmi busybox
Package busybox-1.20.2-2.mga3.i586 is already installed
Command line functions like busybox ls, busybox vi run normally

Install busybox updates from nonfree updates_testing:

[root@localhost wilcal]# urpmi busybox
Package busybox-1.20.2-2.1.mga3.i586 is already installed
Command line functions like busybox ls, busybox vi run normally

There are two additional packages in the repo:
busybox-static
mindi-busybox

Do these need to be testing also?


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

CC: (none) => wilcal.int

Comment 3 David Walser 2013-11-25 18:08:18 CET

As the package list shows, busybox-static is part of this update, mindi-busybox is not.

The affected code is in util-linux/mdev.c.  I'm not sure if there's a way to initiate this code directly.  The change comes in the build_alias() function when it creates a directory, apparently doing something similar to mkdir -p where it has to create directories recursively.  It fixes it to use a umask of 022 when creating the intermediate directories instead of 000.

Comment 4 William Kenney 2013-11-26 19:18:08 CET

In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
busybox

Default package installed:
[root@localhost wilcal]# urpmi busybox
Package busybox-1.20.2-2.mga3.x86_64 is already installed
Command line functions like busybox ls, busybox vi run normally

Install busybox updates from nonfree updates_testing:

[root@localhost wilcal]# urpmi busybox
Package busybox-1.20.2-2.1.mga3.x86_64 is already installed
Command line functions like busybox ls, busybox vi run normally


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

William Kenney 2013-11-26 19:18:33 CET

Whiteboard: (none) => MGA3-32-OK MGA3-64-OK

William Kenney 2013-11-26 19:20:22 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 William Kenney 2013-11-26 19:20:58 CET

Has the advisory been created for this bug?

Comment 6 claire robinson 2013-11-26 19:30:09 CET

Not yet William, check for 'advisory' tag in whiteboard. Can you please add it if you upload it Ok.

Comment 7 Dave Hodgins 2013-11-26 19:55:57 CET

Advisory 11722.adv committed to svn.

Someone from the sysadmin team please push 11722.adv to updates.

CC: (none) => davidwhodgins
Whiteboard: MGA3-32-OK MGA3-64-OK => MGA3-32-OK MGA3-64-OK advisory

Comment 8 Thomas Backlund 2013-11-30 22:46:46 CET

Update pushed:
http://advisories.mageia.org/MGASA-2013-0358.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.