Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 492528 (CVE-2012-6607) - <app-admin/augeas-0.10.0-r2: symlink attack on a .augsave file (CVE-2012-{0786,0787,6607})
Summary: <app-admin/augeas-0.10.0-r2: symlink attack on a .augsave file (CVE-2012-{078...
Status: RESOLVED FIXED
Alias: CVE-2012-6607
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa/cleanup+]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-25 19:48 UTC by Agostino Sarubbo
Modified: 2015-08-14 01:21 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-11-25 19:48:43 UTC
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6607 to
the following vulnerability:

Name: CVE-2012-6607
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6607
Assigned: 20131123
Reference: http://augeas.net/news.html
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=772257
Reference: https://github.com/hercules-team/augeas/commit/16387744
Reference: REDHAT:RHSA-2013:1537
Reference: http://rhn.redhat.com/errata/RHSA-2013-1537.html
Reference: SECUNIA:55811
Reference: http://secunia.com/advisories/55811

The transform_save function in transform_save in Augeas before 1.0.0 allows local users to 
overwrite arbitrary files and obtain sensitive information via a symlink attack on a .augsave file 
in a backup save action, a different vector than CVE-2012-0786.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 21:02:35 UTC
CVE-2012-6607 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6607):
  The transform_save function in transform_save in Augeas before 1.0.0 allows
  local users to overwrite arbitrary files and obtain sensitive information
  via a symlink attack on a .augsave file in a backup save action, a different
  vector than CVE-2012-0786.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 21:03:36 UTC
CVE-2012-0787 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0787):
  The clone_file function in transfer.c in Augeas before 1.0.0, when
  copy_if_rename_fails is set and EXDEV or EBUSY is returned by the rename
  function, allows local users to overwrite arbitrary files and obtain
  sensitive information via a bind mount on the (1) .augsave or (2)
  destination file when using the backup save option, or (3) .augnew file when
  using the newfile save option.

CVE-2012-0786 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0786):
  The transform_save function in transform_save in Augeas before 1.0.0 allows
  local users to overwrite arbitrary files and obtain sensitive information
  via a symlink attack on a .augnew file.
Comment 3 Agostino Sarubbo gentoo-dev 2013-12-01 09:19:26 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1034261 :

Augeas upstream commit 051c73a9:

https://github.com/hercules-team/augeas/commit/051c73a9

introduced a flaw in the way Augeas sets permissions on newly created files.  The above commit aims to address a regression introduced in the fix for CVE-2012-0786 (see bug 772257 comment 39), which introduced a use of mkstemp() to create new files.  mkstemp() always sets 0600 file permissions regardless of the current umask setting.  Commit 051c73a9 attempts to fix file permissions based on umask setting, but it does not correctly handle certain umask values, causing Augeas to make newly created files world writable.  A local user could possibly use this flaw to modify configuration files created by an application using Augeas.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-12-11 03:24:37 UTC
app-admin/augeas-0.10.0-r2 has the fix

arches, please stablize for alpha amd64 hppa ppc sparc x86

I don't want to change the title, can you (sec team) do so?
Comment 5 Agostino Sarubbo gentoo-dev 2013-12-11 08:48:51 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-12-11 08:49:06 UTC
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2013-12-11 14:32:49 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-12-13 09:24:15 UTC
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-12-13 09:24:33 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-12-14 19:46:55 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-14 20:10:45 UTC
GLSA vote: no.
Comment 12 Sergey Popov gentoo-dev 2013-12-15 10:01:29 UTC
GLSA vote: no

Voting is done, waiting for cleanup
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-05-30 22:22:45 UTC
Maintainers please clean up vulnerable versions so we can close this bug.

Thank you.
Comment 14 Chris Reffett (RETIRED) gentoo-dev Security 2015-08-14 01:21:35 UTC
Cleanup done.