Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 485232 (CVE-2013-4362)

Summary: <net-fs/davfs2-1.5.2: insecure use of system() (CVE-2013-4362)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: christian.tietz, cyberbat83, gokturk, net-fs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1008313
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 564592    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-09-17 19:23:49 UTC 
From ${URL} :

It is found that davfs2, a tool for connecting to WebDAV, might be using the system() insecurely. 
The issue is since mount_davfs2 is setuid, using the system() call could result in privilege 
escalation.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723034


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-02 03:36:03 UTC 
Patch available upstream at http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=24;filename=davfs2-1.4.6-system-2.diff;att=1;bug=723034
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-10-02 03:36:34 UTC 
CVE-2013-4362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4362):
  WEB-DAV Linux File System (davfs2) 1.4.6 and 1.4.7 allow local users to gain
  privileges via unknown attack vectors in (1) kernel_interface.c and (2)
  mount_davfs.c, related to the "system" function.
Comment 3 Agostino Sarubbo gentoo-dev 2013-10-13 08:34:28 UTC 
A public exploit is available: http://www.1337day.com/exploit/21355
Comment 4 cyberbat 2014-05-30 21:29:53 UTC 
upstream released version 1.5.0 fixing this issue.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-06-09 12:55:41 UTC 
The fix is in version:
Fixed in versions davfs2/1.4.7-3, davfs2/1.4.6-1.1+deb7u1

Since we have 1.4.7, it would be recommended to ebuild and stable for 1.4.7-3.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723034

Maintainers, please confirm if version 1.4.5-r1 is vulnerable, based on all the text and discussion it does not look like it is.
Comment 6 Göktürk Yüksek archtester gentoo-dev 2015-10-02 19:22:16 UTC 
(In reply to cyberbat from comment #4)
> upstream released version 1.5.0 fixing this issue.

Upstream bug: https://savannah.nongnu.org/bugs/?40034
Comment 7 Göktürk Yüksek archtester gentoo-dev 2015-11-01 17:09:31 UTC 
There is a stabilization bug open for the version 1.5.0 which fixes the vulnerability: bug 564592.
Comment 8 Pacho Ramos gentoo-dev 2015-11-04 14:48:18 UTC 
*** Bug 564592 has been marked as a duplicate of this bug. ***
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2015-12-07 21:54:55 UTC 
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 10 Patrice Clement gentoo-dev 2015-12-08 09:08:02 UTC 
Gokturk Yuksek's PR has been merged and vulnerable versions are now purged from the tree.

https://github.com/gentoo/gentoo/pull/446
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-12-02 13:34:41 UTC 
This issue was resolved and addressed in
 GLSA 201612-02 at https://security.gentoo.org/glsa/201612-02
by GLSA coordinator Aaron Bauman (b-man).