15471 – autofs new security issue CVE-2014-8169

Bug 15471 - autofs new security issue CVE-2014-8169

Summary: autofs new security issue CVE-2014-8169

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	Shlomi Fish
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/636271/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-03-11 15:41 CET by David Walser
Modified:	2015-04-27 16:53 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	autofs-5.0.7-7.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-03-11 15:41:57 CET

OpenSuSE has issued an advisory today (March 11):
http://lists.opensuse.org/opensuse-updates/2015-03/msg00033.html

Patches checked into Cauldron SVN.  Freeze push requested.

Patches do not apply cleanly to the version we have in Mageia 4.

Reproducible: 

Steps to Reproduce:

David Walser 2015-03-11 19:19:33 CET

URL: (none) => http://lwn.net/Vulnerabilities/636271/

Comment 1 David Walser 2015-03-12 21:01:17 CET

autofs-5.1.0-4.mga5 uploaded for Cauldron.

Sander Lepik 2015-03-14 19:32:28 CET

CC: (none) => mageia
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2015-03-15 08:48:56 CET

(In reply to David Walser from comment #0)
> OpenSuSE has issued an advisory today (March 11):
> http://lists.opensuse.org/opensuse-updates/2015-03/msg00033.html
> 
> Patches checked into Cauldron SVN.  Freeze push requested.
> 
> Patches do not apply cleanly to the version we have in Mageia 4.
> 

Do you know if this bug happens at all in the autofs version in Mageia 4?

Regards,

-- Shlomi Fish

> Reproducible: 
> 
> Steps to Reproduce:

Comment 3 David Walser 2015-03-15 13:39:48 CET

(In reply to Shlomi Fish from comment #2)
> Do you know if this bug happens at all in the autofs version in Mageia 4?

Why wouldn't it?  autofs 5.0.7 also supports executable automounter maps.

Comment 4 Shlomi Fish 2015-03-16 17:30:35 CET

(In reply to David Walser from comment #3)
> (In reply to Shlomi Fish from comment #2)
> > Do you know if this bug happens at all in the autofs version in Mageia 4?
> 
> Why wouldn't it?  autofs 5.0.7 also supports executable automounter maps.

I see. Maybe we can ask upstream if they can provide an equivalent patch for autofs version 5.0.7.

Comment 5 Shlomi Fish 2015-03-21 09:19:46 CET

Adding "NEEDHELP"/"OK" to the whiteboard.

Whiteboard: (none) => NEEDHELP OK

Comment 6 Shlomi Fish 2015-03-23 10:17:24 CET

David:

according to the autofs README:

<QUOTE>

If you use or want to help develop autofs, please join the autofs
mailing list by sending an email to:

        majordomo@vger.kernel.org

With the body text:

        subscribe autofs

Once subscribed you can send patches to:

        autofs@vger.kernel.org

The autofs mailing list archive can be viewed on gmane:

        http://news.gmane.org/gmane.linux.kernel.autofs
        http://blog.gmane.org/gmane.linux.kernel.autofs

(END)

</QUOTE>

Now, I cannot subscribe and post there because I'm banned from the @vger.kernel.org E-mail domain. Can you please subscribe there and ask the question there?

Regards,

-- Shlomi Fish

Comment 7 David Walser 2015-04-27 16:53:59 CEST

According to Ubuntu, the issue was introduced in 5.0.8.  5.0.7 is not affected:
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8169.html

Closing as FIXED for Cauldron.

Status: NEW => RESOLVED
Version: 4 => Cauldron
Resolution: (none) => FIXED
Whiteboard: NEEDHELP OK => (none)

Note You need to log in before you can comment on or make changes to this bug.