Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 461372 (CVE-2013-1813)

Summary: <sys-apps/busybox-1.21.0: insecure directory permissions in /dev (mdev) (CVE-2013-1813)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: embedded, ssuominen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=919608
See Also: https://bugs.gentoo.org/show_bug.cgi?id=524346
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-03-11 11:28:40 UTC
From ${URL} :

It was reported [1] that busybox creates part of the /dev directory tree with incorrect permissions 
when creating device nodes in nested directories.  This has been fixed [2] upstream.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701965
[2] http://git.busybox.net/busybox/commit/?id=4609f477c7e043a4f6147dfe6e86b775da2ef784
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2013-03-11 11:41:24 UTC
1.20.2 is vulnerable, but 1.21.0 not, after checking if the commit was in the sources
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-10 22:18:59 UTC
(In reply to comment #1)
> 1.20.2 is vulnerable, but 1.21.0 not, after checking if the commit was in
> the sources

Thanks for checking. 

Should we proceed to stabilize 1.21.0?
Comment 3 Agostino Sarubbo gentoo-dev 2013-04-25 09:54:00 UTC
@maintainer: ping
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 04:00:48 UTC
Arches, please test and stabilize:
=sys-apps/busybox-1.21.0
Target arches: alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-11 14:00:20 UTC
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2013-09-12 14:59:56 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2013-09-12 17:38:27 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-09-14 07:43:26 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-09-14 10:14:38 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-09-14 10:23:22 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-09-14 10:23:43 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-09-14 10:24:16 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-09-14 10:24:35 UTC
sparc stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-09-14 10:38:17 UTC
s390 stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-09-14 10:38:48 UTC
sh stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-09-28 20:54:46 UTC
M68K is not anymore a stable arch, removing it from the cc list
Comment 17 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-29 15:49:48 UTC
Added to existing GLSA draft.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 22:07:11 UTC
CVE-2013-1813 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1813):
  util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent
  directories when creating nested directories under /dev/, which allows local
  users to have unknown impact and attack vectors.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:18:20 UTC
This issue was resolved and addressed in
 GLSA 201312-02 at http://security.gentoo.org/glsa/glsa-201312-02.xml
by GLSA coordinator Chris Reffett (creffett).