From ${URL} : It is found that davfs2, a tool for connecting to WebDAV, might be using the system() insecurely. The issue is since mount_davfs2 is setuid, using the system() call could result in privilege escalation. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723034 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Patch available upstream at http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=24;filename=davfs2-1.4.6-system-2.diff;att=1;bug=723034
CVE-2013-4362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4362): WEB-DAV Linux File System (davfs2) 1.4.6 and 1.4.7 allow local users to gain privileges via unknown attack vectors in (1) kernel_interface.c and (2) mount_davfs.c, related to the "system" function.
A public exploit is available: http://www.1337day.com/exploit/21355
upstream released version 1.5.0 fixing this issue.
The fix is in version: Fixed in versions davfs2/1.4.7-3, davfs2/1.4.6-1.1+deb7u1 Since we have 1.4.7, it would be recommended to ebuild and stable for 1.4.7-3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723034 Maintainers, please confirm if version 1.4.5-r1 is vulnerable, based on all the text and discussion it does not look like it is.
(In reply to cyberbat from comment #4) > upstream released version 1.5.0 fixing this issue. Upstream bug: https://savannah.nongnu.org/bugs/?40034
There is a stabilization bug open for the version 1.5.0 which fixes the vulnerability: bug 564592.
*** Bug 564592 has been marked as a duplicate of this bug. ***
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
Gokturk Yuksek's PR has been merged and vulnerable versions are now purged from the tree. https://github.com/gentoo/gentoo/pull/446
This issue was resolved and addressed in GLSA 201612-02 at https://security.gentoo.org/glsa/201612-02 by GLSA coordinator Aaron Bauman (b-man).
