Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 461372 (CVE-2013-1813) - <sys-apps/busybox-1.21.0: insecure directory permissions in /dev (mdev) (CVE-2013-1813)
Summary: <sys-apps/busybox-1.21.0: insecure directory permissions in /dev (mdev) (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2013-1813
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-11 11:28 UTC by Agostino Sarubbo
Modified: 2014-10-03 08:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-11 11:28:40 UTC 
From ${URL} :

It was reported [1] that busybox creates part of the /dev directory tree with incorrect permissions 
when creating device nodes in nested directories.  This has been fixed [2] upstream.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701965
[2] http://git.busybox.net/busybox/commit/?id=4609f477c7e043a4f6147dfe6e86b775da2ef784
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2013-03-11 11:41:24 UTC 
1.20.2 is vulnerable, but 1.21.0 not, after checking if the commit was in the sources
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-10 22:18:59 UTC 
(In reply to comment #1)
> 1.20.2 is vulnerable, but 1.21.0 not, after checking if the commit was in
> the sources

Thanks for checking. 

Should we proceed to stabilize 1.21.0?
Comment 3 Agostino Sarubbo gentoo-dev 2013-04-25 09:54:00 UTC 
@maintainer: ping
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 04:00:48 UTC 
Arches, please test and stabilize:
=sys-apps/busybox-1.21.0
Target arches: alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-11 14:00:20 UTC 
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2013-09-12 14:59:56 UTC 
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2013-09-12 17:38:27 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-09-14 07:43:26 UTC 
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-09-14 10:14:38 UTC 
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-09-14 10:23:22 UTC 
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-09-14 10:23:43 UTC 
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-09-14 10:24:16 UTC 
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-09-14 10:24:35 UTC 
sparc stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-09-14 10:38:17 UTC 
s390 stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-09-14 10:38:48 UTC 
sh stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-09-28 20:54:46 UTC 
M68K is not anymore a stable arch, removing it from the cc list
Comment 17 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-29 15:49:48 UTC 
Added to existing GLSA draft.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 22:07:11 UTC 
CVE-2013-1813 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1813):
  util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent
  directories when creating nested directories under /dev/, which allows local
  users to have unknown impact and attack vectors.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:18:20 UTC 
This issue was resolved and addressed in
 GLSA 201312-02 at http://security.gentoo.org/glsa/glsa-201312-02.xml
by GLSA coordinator Chris Reffett (creffett).