Summary: | <sys-apps/busybox-1.21.0: insecure directory permissions in /dev (mdev) (CVE-2013-1813) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | embedded, ssuominen |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=919608 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=524346 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-03-11 11:28:40 UTC
1.20.2 is vulnerable, but 1.21.0 not, after checking if the commit was in the sources (In reply to comment #1) > 1.20.2 is vulnerable, but 1.21.0 not, after checking if the commit was in > the sources Thanks for checking. Should we proceed to stabilize 1.21.0? @maintainer: ping Arches, please test and stabilize: =sys-apps/busybox-1.21.0 Target arches: alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 amd64 stable Stable for HPPA. ppc stable ia64 stable x86 stable alpha stable arm stable ppc64 stable sparc stable s390 stable sh stable M68K is not anymore a stable arch, removing it from the cc list Added to existing GLSA draft. CVE-2013-1813 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1813): util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. This issue was resolved and addressed in GLSA 201312-02 at http://security.gentoo.org/glsa/glsa-201312-02.xml by GLSA coordinator Chris Reffett (creffett). |