Bugzilla – Bug 925225
VUL-0: CVE-2014-8119: augeas: augeas path expression injection via interface name
Last modified: 2018-03-09 17:09:38 UTC
rh#1172176 CVE-2014-8119 augeas-devel mailing list thread, discussing lack of ways to safely include untrusted user-supplied input in path strings used in augeas queries: https://www.redhat.com/archives/augeas-devel/2014-December/msg00000.html Augeas upstream issue that tracks changes required to completely fix this netcf issue: https://github.com/hercules-team/augeas/pull/198 The changes are: - Addition of new API - aug_escape_name() - which can be used to escape untrusted inputs before using them as part of path expressions passed to APIs as aug_match() or aug_get(). - The aug_match() is changed to return properly escaped output that can be safely passed back to aug_get(). References: https://bugzilla.redhat.com/show_bug.cgi?id=1172176
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-04-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61404
bugbot adjusting priority
Which projects are affected by this requirement? SLE-12, SLE-11-SP<x>? Thanks
11-sp1, 11-sp3 and 12. SUSE:SLE-11-SP1:Update:Test augeas SUSE:SLE-11-SP3:Update:Test augeas SUSE:SLE-12:Update augeas and also opensuse if possble.
Created attachment 631085 [details] Patch for SLE-12:Update submission id #55394
Notes regarding the patch: 1) The patch introduces new function for escaping into public API 2) The patch modifies behavior of the existing API In my POV (1) is fine, however (2) can break existing application which already performs escaping in their own. Also we should identify applications which could benefit from using the new API - see (1). Marcus: Is there any common way how to handle (2) from security's point of view.
Michal, what's the current status of backporting? Could you give us more info about those patches?
(In reply to Lukas Ocilka from comment #8) > Michal, what's the current status of backporting? Could you give us more info > about those patches? I have a backport (untested) for SLE-11. However, i don't release it until it is clear how to handle API inconsistency issue.
I wpould like to review the patch, can you attach it here? I looked at the pull request and the refernces commits and that looked good so far.
(In reply to Marcus Meissner from comment #10) > I wpould like to review the patch, can you attach it here? > > I looked at the pull request and the refernces commits and that looked good > so far. in case of SLE-12 the patch is almost the same (cherry picks where almost without conflicts). However the issue - change in API - is visible e.g. in tests provided within the patch. E.g. - /files/etc/php.ini/mail function/SMTP = localhost + /files/etc/php.ini/mail\ function/SMTP = localhost - /white space/[section = "value" + /white\ space/\[section = "value" and others.
well.. please just submit and we can check it. additional APIs are not a problem. slight output changes might be fixable
Patch for SLE-12 submitted (https://build.suse.de/request/show/57064). I'll continue with other patches once this one is accepted.
the rq was declined: Please resubmit as a maintenancerequest against SUSE:SLE-12:Update also please mention the CVE nr in the .changes too.
resubmitted, id 57320
is in progress ...
hi, are SLE-11-SP1 or SLE-11-SP3 affected as well?
(In reply to Victor Pereira from comment #20) > hi, are SLE-11-SP1 or SLE-11-SP3 affected as well? please see comment#4. Affected projects are: > SUSE:SLE-11-SP1:Update:Test > SUSE:SLE-11-SP3:Update:Test > SUSE:SLE-12:Update
SUSE-SU-2015:1249-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 925225 CVE References: CVE-2014-8119 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): augeas-1.2.0-3.1 SUSE Linux Enterprise Server 12 (src): augeas-1.2.0-3.1 SUSE Linux Enterprise Desktop 12 (src): augeas-1.2.0-3.1
Created attachment 646658 [details] Patch for SLE-11-SP3:Update
Submitted maintenance request for SLE-11-SP3, id#67434
SUSE-SU-2015:1792-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 925225 CVE References: CVE-2014-8119 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): augeas-0.9.0-3.17.2 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): augeas-0.9.0-3.17.2 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): augeas-0.9.0-3.17.2 SUSE Linux Enterprise Server 11-SP4 (src): augeas-0.9.0-3.17.2 SUSE Linux Enterprise Server 11-SP3 (src): augeas-0.9.0-3.17.2 SUSE Linux Enterprise Desktop 11-SP4 (src): augeas-0.9.0-3.17.2 SUSE Linux Enterprise Desktop 11-SP3 (src): augeas-0.9.0-3.17.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): augeas-0.9.0-3.17.2 SUSE Linux Enterprise Debuginfo 11-SP3 (src): augeas-0.9.0-3.17.2
Submitted maintenance request for SLE-11-SP1, id#77487
SLE-12*, SLE-11-SP{1,3}, OpenSUSE:{Leap,Tumbleweed} should be fixed (patch provided or fixed by most recent upstream version). So, closing.
This is an autogenerated message for OBS integration: This bug (925225) was mentioned in https://build.opensuse.org/request/show/499623 Factory / augeas
This is an autogenerated message for OBS integration: This bug (925225) was mentioned in https://build.opensuse.org/request/show/500542 Factory / augeas
SUSE-SU-2018:0653-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1054171,925225 CVE References: CVE-2014-8119,CVE-2017-7555 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): augeas-0.9.0-3.21.3.1 SUSE Linux Enterprise Server 11-SP4 (src): augeas-0.9.0-3.21.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): augeas-0.9.0-3.21.3.1