According to SecurityFocus.com: Davfs2 is prone to a security vulnerability. Reports indicate that UNIX file system permissions are not respected by Davfs2. A WebDAV filesystem that was mounted will have no permission restrictions at all. A local attacker may take advantage of this design error to access or corrupt potentially sensitive data. --- Vulnerable: 0.2.2 The latest version is 0.2.3, but it's not mentioned that it's not vulnerable, so you might want to check that out. Reproducible: Always Steps to Reproduce:
0.2.3 is also vulnerable. See the bug at: http://sourceforge.net/tracker/index.php?func=detail&aid=1209283&group_id=26275&atid=386747 and the discussion at : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310757 Apparently davfs2 kinda sucks in the rights enforcement department : 22:07 < rleigh> madduck: Re davfs2: Check src/webdav.c, line 480. Looks like executable perms are enforced, but I may be wrong (I don't know the interrelationship of libneon and CODA and dafvs). auth(), line 145 also looks suspect. Generally, the code has a FIXMEs, and it looks like it is responsible for handling VFS operations. If this is correct, it's not doing a very good job. 22:11 < rleigh> (chmod is blank!) 22:18 < rleigh> madduck: I'll review it some more (I've just found the mount option handling), but IMHO it's broken. 23:15 < rleigh> madduck: Just for the record: the only trace of uid/gid/mode handling is in src/util.c, dav_(set|get)_fstat_default(). This is used by src/davfsd.c in set_mkdir_attr and coda_open (via src/webdav.c in dav_stat()). The upshot is the uid/gid are set to those provided. The mode handling looks like it might be suspect, and I don't see any permissions checking [perhaps it's supposed to be in kernelspace]. I also saw at least one leak. My opinion is that davfs2 doesn't say it enforces Unix FS permissions so it may even not be a bug. Maybe lack of documentation for that "feature" ? That said, the code apparently sucks...
Ccing maintainer. A patch is under discussion on the Debian bug.
Might be what is there : http://cvs.sourceforge.net/viewcvs.py/dav/davfs2/src/davfsd.c?r1=1.29.2.5&r2=1.29.2.6
You'll also need the corresponding fixes in util.c, util.h, and webdav.c. net-fs / genstef : what's your position on this ? Ready to patch ? Upstream fixed in CVS but has apparently no intention of rushing a fix.
New version 0.2.4 is available on dav.sf.net I need to make a patch apply on it first though, be patient please
davfs2 has been bumped and stabled for x86.
Ready for GLSA vote - I tend to say no. Only x86 was marked stable and like Koon said, this might not even be a real bug.
I tend to vote NO too (at least until we have better information).
Agreed on no, and closing.
