Bug 11722 - busybox new security issue CVE-2013-1813
: busybox new security issue CVE-2013-1813
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/574610/
: MGA3-32-OK MGA3-64-OK advisory
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-21 16:24 CET by David Walser
Modified: 2013-11-30 22:46 CET (History)
5 users (show)

See Also:
Source RPM: busybox-1.20.2-2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-11-21 16:24:58 CET
RedHat has issued an advisory today (November 21):
https://rhn.redhat.com/errata/RHSA-2013-1732.html

It was fixed upstream in the version we have in Cauldron.

Patched package uploaded for Mageia 3.

Note to QA: The patch includes an addition to the built-in build-time test suite to make sure the fix works correctly, and the test suite is run during our package's build.

Advisory:
========================

Updated busybox packages fix security vulnerability:

It was found that the mdev BusyBox utility could create certain directories
within /dev with world-writable permissions. A local unprivileged user
could use this flaw to manipulate portions of the /dev directory tree
(CVE-2013-1813).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1813
https://rhn.redhat.com/errata/RHSA-2013-1732.html
========================

Updated packages in core/updates_testing:
========================
Wrote: /home/iurt/rpmbuild/RPMS/i586/busybox-1.20.2-2.1.mga3.i586.rpm
Wrote: /home/iurt/rpmbuild/RPMS/i586/busybox-static-1.20.2-2.1.mga3.i586.rpm

from busybox-1.20.2-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-21 16:27:39 CET
Note: this issue also affects Mageia 2, which I have patched in SVN, but the package currently does not build:
http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20131121151614.luigiwalser.valstar.3576/log/busybox-1.19.3-1.2.mga2/build.0.20131121151705.log

This is strange, since we've previously issue an update for busybox on Mageia 2, so I don't know why it won't build now.  The only thing I can think is maybe it's an issue with kernel 3.4 (the previous update was built against kernel 3.3).
Comment 2 William Kenney 2013-11-25 17:43:23 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
busybox

Default package installed:
[root@localhost wilcal]# urpmi busybox
Package busybox-1.20.2-2.mga3.i586 is already installed
Command line functions like busybox ls, busybox vi run normally

Install busybox updates from nonfree updates_testing:

[root@localhost wilcal]# urpmi busybox
Package busybox-1.20.2-2.1.mga3.i586 is already installed
Command line functions like busybox ls, busybox vi run normally

There are two additional packages in the repo:
busybox-static
mindi-busybox

Do these need to be testing also?


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 3 David Walser 2013-11-25 18:08:18 CET
As the package list shows, busybox-static is part of this update, mindi-busybox is not.

The affected code is in util-linux/mdev.c.  I'm not sure if there's a way to initiate this code directly.  The change comes in the build_alias() function when it creates a directory, apparently doing something similar to mkdir -p where it has to create directories recursively.  It fixes it to use a umask of 022 when creating the intermediate directories instead of 000.
Comment 4 William Kenney 2013-11-26 19:18:08 CET
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
busybox

Default package installed:
[root@localhost wilcal]# urpmi busybox
Package busybox-1.20.2-2.mga3.x86_64 is already installed
Command line functions like busybox ls, busybox vi run normally

Install busybox updates from nonfree updates_testing:

[root@localhost wilcal]# urpmi busybox
Package busybox-1.20.2-2.1.mga3.x86_64 is already installed
Command line functions like busybox ls, busybox vi run normally


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 5 William Kenney 2013-11-26 19:20:58 CET
Has the advisory been created for this bug?
Comment 6 claire robinson 2013-11-26 19:30:09 CET
Not yet William, check for 'advisory' tag in whiteboard. Can you please add it if you upload it Ok.
Comment 7 Dave Hodgins 2013-11-26 19:55:57 CET
Advisory 11722.adv committed to svn.

Someone from the sysadmin team please push 11722.adv to updates.
Comment 8 Thomas Backlund 2013-11-30 22:46:46 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0358.html

Note You need to log in before you can comment on or make changes to this bug.