Bug 1034243 (CVE-2012-6607)
Summary: | CVE-2012-6607 augeas: symlink attack on a .augsave file | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Ratul Gupta <ratulg> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aavati, abaron, aortega, apevec, apevec, ayoung, chrisw, dallan, dcleal, gkotton, jkurik, lhh, lutter, markmc, mbooth, pfrields, rbryant, rfortier, rhos-maint, rhs-bugs, sclewis, ssaha, vbellur, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-01-16 10:03:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1034246 |
Description
Ratul Gupta
2013-11-25 13:27:41 UTC
I'm trying to figure out what led Mitre CVE team to split this from CVE-2012-0786 (which is tracked via bug 772257) and consider this separate. The difference in wording of CVE-2012-0786 and CVE-2012-6607 descriptions is: via a symlink attack on a .augnew file versus: via a symlink attack on a .augsave file in a backup save action I do not find any mentions of the .augsave symlink attack in our bug 772257, upstream commit message, or upstream news. It seems the most likely that this new CVE was created based on the addition of test-put-symlink-augsave.sh test case as part of upstream commit 16387744: https://github.com/hercules-team/augeas/commit/16387744#diff-658b06330f5444abf43ff1bf7aa19bd8 However, that test only seems to have been "preventive" rather than "reactive" - there was not symlink attack against .augsave similar to the .augnew one. .augsave was only created via clone_file(). That function has other issues, covered by separate CVE-2012-0787 (bug 772261). I used the test-put-symlink-augsave.sh test with unfixed augeas 0.9.0 (previous version used in Red Hat Enterprise Linux 6) and it PASSes. So I don't believe this CVE-2012-6607 describes any real problem. Dominic, can you confirm my findings above? (In reply to Tomas Hoger from comment #1) > I do not find any mentions of the .augsave symlink attack in our bug 772257, > upstream commit message, or upstream news. It seems the most likely that > this new CVE was created based on the addition of > test-put-symlink-augsave.sh test case as part of upstream commit 16387744: > > https://github.com/hercules-team/augeas/commit/16387744#diff- > 658b06330f5444abf43ff1bf7aa19bd8 > > However, that test only seems to have been "preventive" rather than > "reactive" - there was not symlink attack against .augsave similar to the > .augnew one. .augsave was only created via clone_file(). That function has > other issues, covered by separate CVE-2012-0787 (bug 772261). > > I used the test-put-symlink-augsave.sh test with unfixed augeas 0.9.0 > (previous version used in Red Hat Enterprise Linux 6) and it PASSes. So I > don't believe this CVE-2012-6607 describes any real problem. > > Dominic, can you confirm my findings above? I agree, I can't find any evidence or remember this issue affecting augsave. I probably added the test as a preventative measure, just to prove that augsave was safe and would remain safe. As noted above, I do not believe this CVE id refers to any security issue and I believe it was assigned incorrectly. CVE rejection request: http://thread.gmane.org/gmane.comp.security.oss.general/11691 Note that the relevant change was included in augeas packages erratum RHSA-2013:1537 for Red Hat Enterprise Linux 6: https://rhn.redhat.com/errata/RHSA-2013-1537.html Statement: Red Hat believes that the flaw described by this CVE never affected augeas and therefore we consider this CVE assignment as invalid. For further details, refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1034243#c1 |