853044 – (CVE-2013-6412) VUL-0: CVE-2013-6412: augeas: incorrect permissions set on newly created files

Bug 853044 (CVE-2013-6412) - VUL-0: CVE-2013-6412: augeas: incorrect permissions set on newly created files

Summary: VUL-0: CVE-2013-6412: augeas: incorrect permissions set on newly created files

Status:	RESOLVED FIXED

Alias:	CVE-2013-6412

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:58170:moderate maint:r...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-11-30 10:05 UTC by Marcus Meissner
Modified:	2014-09-01 14:04 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-11-30 10:05:27 UTC

CVE-2013-6412

Augeas upstream commit 051c73a9:

https://github.com/hercules-team/augeas/commit/051c73a9

introduced a flaw in the way Augeas sets permissions on newly created files.  The above commit aims to address a regression introduced in the fix for CVE-2012-0786 (see bug 772257 comment 39), which introduced a use of mkstemp() to create new files.  mkstemp() always sets 0600 file permissions regardless of the current umask setting.  Commit 051c73a9 attempts to fix file permissions based on umask setting, but it does not correctly handle certain umask values, causing Augeas to make newly created files world writable.  A local user could possibly use this flaw to modify configuration files created by an application using Augeas.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6412
https://bugzilla.redhat.com/show_bug.cgi?id=1034261

Comment 1 Marcus Meissner 2013-11-30 10:06:00 UTC

Michal, are we affected on SLE?

Comment 2 Swamp Workflow Management 2013-11-30 23:00:41 UTC

bugbot adjusting priority

Comment 3 SMASH SMASH 2014-06-30 14:55:18 UTC

Affected packages:

SLE-11-SP3: augeas

Comment 4 Tomáš Chvátal 2014-07-01 09:10:14 UTC

Submitted with bnc#885003.

Comment 7 Swamp Workflow Management 2014-08-13 21:04:24 UTC

SUSE-SU-2014:1017-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 853044,871323,876044,885003
CVE References: CVE-2012-0786,CVE-2013-6412
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    augeas-0.9.0-3.15.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    augeas-0.9.0-3.15.1
SUSE Linux Enterprise Server 11 SP3 (src):    augeas-0.9.0-3.15.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    augeas-0.9.0-3.15.1

Comment 8 Marcus Meissner 2014-09-01 14:04:15 UTC

released