13953 – security warning for davfs2

Bug 13953 - security warning for davfs2

Summary: security warning for davfs2

Status:	RESOLVED DUPLICATE of bug 11291

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	5
Hardware:	x86_64 Linux

Priority:	Normal Severity: normal
Target Milestone:	Mageia 5
Assignee:	Shlomi Fish
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-08-20 16:02 CEST by andre salaun
Modified:	2016-10-20 22:25 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	davfs2
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description andre salaun 2014-08-20 16:02:46 CEST

Description of problem:
msec report mentionned et secutity warning for davfs2 and avahi-autoip users

Version-Release number of selected component (if applicable):
msec-0.80.10-14.mga4

How reproducible:
Reading report from /etc/cron.daily/msec

Steps to Reproduce:

Msec report mentionned :

Detailed report:

Security Warning: these home directory should not be owned by someone else or writable :
user=avahi-autoipd(497) : home directory is owned by avahi(473).
user=davfs2(481) : home directory is group writable.

Permissions and/or owners are not correct.

Like that one since Mageia 3 : https://bugs.mageia.org/show_bug.cgi?id=11291

No solution ?



Reproducible: 

Steps to Reproduce:

Comment 1 Manuel Hiebel 2014-08-20 19:28:06 CEST

well I don't know, shlomif, you know if it's a security issue : 
'user=davfs2(481) : home directory is group writable.' ?

Keywords: (none) => Triaged
CC: (none) => shlomif

Comment 2 Shlomi Fish 2014-08-22 07:51:51 CEST

(In reply to Manuel Hiebel from comment #1)
> well I don't know, shlomif, you know if it's a security issue : 
> 'user=davfs2(481) : home directory is group writable.' ?

It may be a (potential) security problem, but it's unlikely to cause a lot of damage, and group-writable makes sense with WebDAV. You can put the group-writable on a sub-directory though.

Curtis Hildebrand 2014-11-03 09:03:35 CET

CC: (none) => curtis_mageia

Comment 3 Samuel Verschelde 2015-09-21 13:20:25 CEST

Mageia 4 changed to end-of-life (EOL) status on 2015-09-19. It is is no longer 
maintained, which means that it will not receive any further security or bug 
fix updates.

Package Maintainer: If you wish for this bug to remain open because you plan to 
fix it in a currently maintained version, simply change the 'version' to a later 
Mageia version.

Bug Reporter: Thank you for reporting this issue and we are sorry that we weren't 
able to fix it before Mageia 4's end of life. If you are able to reproduce it 
against a later version of Mageia, you are encouraged to click on "Version" and 
change it against that version of Mageia. If it's valid in several versions, 
select the highest and add MGAxTOO in whiteboard for each other valid release.
Example: it's valid in cauldron and Mageia 5, set to cauldron and add MGA5TOO.

Although we aim to fix as many bugs as possible during every release's lifetime, 
sometimes those efforts are overtaken by events. Often a more recent Mageia 
release includes newer upstream software that fixes bugs or makes them obsolete.

If you would like to help fixing bugs in the future, don't hesitate to join the
packager team via our mentoring program [1] or join the teams that fit you 
most [2].

[1] https://wiki.mageia.org/en/Becoming_a_Mageia_Packager
[2] http://www.mageia.org/contribute/

Comment 4 Marja Van Waes 2015-10-27 06:57:40 CET

As announced over a month ago, Mageia 4 changed to end-of-life (EOL) status on 2015-09-19. It is is no longer maintained, which means that it will not receive any further security or bug fix updates.

This issue may have been fixed in a later Mageia release, so, if you still see it and didn't already do so: please upgrade to Mageia 5 (or, if you read this much later than this is written: make sure you run a currently maintained Mageia version)

If you are able to reproduce it against a maintained version of Mageia, you are encouraged to
1. reopen this bug report, by changing the "Status" from "RESOLVED - OLD" to "REOPENED"
2. click on "Version" and change it against that version of Mageia. If you know it's valid in several versions, select the highest and add MGAxTOO in whiteboard for each other valid release.
Example: it's valid in cauldron and Mageia 5, set to cauldron and add MGA5TOO.
3. give as much relevant information as possible. If you're not an experienced bug reporter and have some time: please read this page:
https://wiki.mageia.org/en/How_to_report_a_bug_properly

If you see a similar issue, but are _not_sure_ it is the same, with the same cause, then please file a new bug report and mention this one in it (please include the bug number, too).

If you would like to help fixing bugs in the future, don't hesitate to join the
packager team via our mentoring program [1] or join the teams that fit you
most [2].
[1] https://wiki.mageia.org/en/Becoming_a_Mageia_Packager
[2] http://www.mageia.org/contribute/

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 5 andre salaun 2015-10-27 12:13:31 CET

This bug still exists about davfs2 in mga5 release.

Concerning avahi-autoipd I don't know, can someone verify on a fresh mga5 install ? Mine is an upgrade.

Status: RESOLVED => REOPENED
Version: 4 => 5
Resolution: OLD => (none)
Target Milestone: --- => Mageia 5
Summary: security warning for avahi-autoip and davfs2 => security warning for davfs2

Comment 6 Marja Van Waes 2016-10-20 22:25:28 CEST

the davfs issue is indeed a duplicate of bug 11291

Feel free to reopen this report for the avahi-autoip issue, if you see it again and if _no_ open report exists for it.

*** This bug has been marked as a duplicate of bug 11291 ***

Keywords: Triaged => (none)
Status: REOPENED => RESOLVED
CC: (none) => marja11
Resolution: (none) => DUPLICATE
Assignee: bugsquad => shlomif
Source RPM: msec-0.80.10-14.mga4.src.rpm => davfs2

Note You need to log in before you can comment on or make changes to this bug.