Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 485232 (CVE-2013-4362) - <net-fs/davfs2-1.5.2: insecure use of system() (CVE-2013-4362)
Summary: <net-fs/davfs2-1.5.2: insecure use of system() (CVE-2013-4362)
Status: RESOLVED FIXED
Alias: CVE-2013-4362
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B1 [glsa]
Keywords:
Depends on: 564592
Blocks:
  Show dependency tree
 
Reported: 2013-09-17 19:23 UTC by Agostino Sarubbo
Modified: 2016-12-02 13:34 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-17 19:23:49 UTC
From ${URL} :

It is found that davfs2, a tool for connecting to WebDAV, might be using the system() insecurely. 
The issue is since mount_davfs2 is setuid, using the system() call could result in privilege 
escalation.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723034


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-10-02 03:36:34 UTC
CVE-2013-4362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4362):
  WEB-DAV Linux File System (davfs2) 1.4.6 and 1.4.7 allow local users to gain
  privileges via unknown attack vectors in (1) kernel_interface.c and (2)
  mount_davfs.c, related to the "system" function.
Comment 3 Agostino Sarubbo gentoo-dev 2013-10-13 08:34:28 UTC
A public exploit is available: http://www.1337day.com/exploit/21355
Comment 4 cyberbat 2014-05-30 21:29:53 UTC
upstream released version 1.5.0 fixing this issue.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-09 12:55:41 UTC
The fix is in version:
Fixed in versions davfs2/1.4.7-3, davfs2/1.4.6-1.1+deb7u1

Since we have 1.4.7, it would be recommended to ebuild and stable for 1.4.7-3.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723034

Maintainers, please confirm if version 1.4.5-r1 is vulnerable, based on all the text and discussion it does not look like it is.
Comment 6 Göktürk Yüksek gentoo-dev 2015-10-02 19:22:16 UTC
(In reply to cyberbat from comment #4)
> upstream released version 1.5.0 fixing this issue.

Upstream bug: https://savannah.nongnu.org/bugs/?40034
Comment 7 Göktürk Yüksek gentoo-dev 2015-11-01 17:09:31 UTC
There is a stabilization bug open for the version 1.5.0 which fixes the vulnerability: bug 564592.
Comment 8 Pacho Ramos gentoo-dev 2015-11-04 14:48:18 UTC
*** Bug 564592 has been marked as a duplicate of this bug. ***
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-07 21:54:55 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 10 Patrice Clement gentoo-dev 2015-12-08 09:08:02 UTC
Gokturk Yuksek's PR has been merged and vulnerable versions are now purged from the tree.

https://github.com/gentoo/gentoo/pull/446
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-12-02 13:34:41 UTC
This issue was resolved and addressed in
 GLSA 201612-02 at https://security.gentoo.org/glsa/201612-02
by GLSA coordinator Aaron Bauman (b-man).