Bug 94071

Summary:	net-fs/davfs2: Failure to enforce UNIX fs permissions (CAN-2005-1774)
Product:	Gentoo Security	Reporter:	Adir Abraham <adirab>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	genstef, net-fs
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.securityfocus.com/bid/13770
Whiteboard:	B4 [noglsa]
Package list:		Runtime testing required:	---

Description Adir Abraham 2005-05-26 05:42:24 UTC

According to SecurityFocus.com:

Davfs2 is prone to a security vulnerability. Reports indicate that UNIX file
system permissions are not respected by Davfs2. A WebDAV filesystem that was
mounted will have no permission restrictions at all.

A local attacker may take advantage of this design error to access or corrupt
potentially sensitive data.

---

Vulnerable: 0.2.2

The latest version is 0.2.3, but it's not mentioned that it's not vulnerable, so
you might want to check that out.


Reproducible: Always
Steps to Reproduce:

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-06-01 05:50:08 UTC

0.2.3 is also vulnerable.

See the bug at:
http://sourceforge.net/tracker/index.php?func=detail&aid=1209283&group_id=26275&atid=386747

and the discussion at :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310757

Apparently davfs2 kinda sucks in the rights enforcement department :

22:07 < rleigh> madduck: Re davfs2: Check src/webdav.c, line 480.  Looks like 
          executable perms are enforced, but I may be wrong (I don't know the 
          interrelationship of libneon and CODA and dafvs).  auth(), line 145 
          also looks suspect.  Generally, the code has a FIXMEs, and it looks 
          like it is responsible for handling VFS operations.  If this is 
          correct, it's not doing a very good job.
22:11 < rleigh> (chmod is blank!)
22:18 < rleigh> madduck: I'll review it some more (I've just found the mount 
          option handling), but IMHO it's broken.
23:15 < rleigh> madduck: Just for the record: the only trace of uid/gid/mode 
          handling is in src/util.c, dav_(set|get)_fstat_default().  This is 
          used by src/davfsd.c in set_mkdir_attr and coda_open (via 
          src/webdav.c in dav_stat()).  The upshot is the uid/gid are set to 
          those provided.  The mode handling looks like it might be suspect, 
          and I don't see any permissions checking [perhaps it's supposed to be 
          in kernelspace].  I also saw at least one leak.

My opinion is that davfs2 doesn't say it enforces Unix FS permissions so it may
even not be a bug. Maybe lack of documentation for that "feature" ? That said,
the code apparently sucks...

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-06-08 06:21:29 UTC

Ccing maintainer.
A patch is under discussion on the Debian bug.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-06-24 05:48:56 UTC

Might be what is there :
http://cvs.sourceforge.net/viewcvs.py/dav/davfs2/src/davfsd.c?r1=1.29.2.5&r2=1.29.2.6

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-07-05 06:06:05 UTC

You'll also need the corresponding fixes in util.c, util.h, and webdav.c.

net-fs / genstef : what's your position on this ? Ready to patch ? Upstream
fixed in CVS but has apparently no intention of rushing a fix.

Comment 5 Stefan Schweizer (RETIRED) gentoo-dev

2005-07-18 05:00:05 UTC

New version 0.2.4 is available on dav.sf.net
I need to make a patch apply on it first though, be patient please

Comment 6 Stefan Schweizer (RETIRED) gentoo-dev

2005-07-18 14:58:55 UTC

davfs2 has been bumped and stabled for x86.

Comment 7 Stefan Cornelius (RETIRED) gentoo-dev

2005-07-18 18:19:23 UTC

Ready for GLSA vote - I tend to say no. Only x86 was marked stable and like Koon
said, this might not even be a real bug.

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-18 22:13:01 UTC

I tend to vote NO too (at least until we have better information).

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2005-07-19 00:29:59 UTC

Agreed on no, and closing.