Bug 1034243 (CVE-2012-6607)

Summary: CVE-2012-6607 augeas: symlink attack on a .augsave file
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aavati, abaron, aortega, apevec, apevec, ayoung, chrisw, dallan, dcleal, gkotton, jkurik, lhh, lutter, markmc, mbooth, pfrields, rbryant, rfortier, rhos-maint, rhs-bugs, sclewis, ssaha, vbellur, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-16 10:03:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1034246    

Description Ratul Gupta 2013-11-25 13:27:41 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6607 to
the following vulnerability:

Name: CVE-2012-6607
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6607
Assigned: 20131123
Reference: http://augeas.net/news.html
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=772257
Reference: https://github.com/hercules-team/augeas/commit/16387744
Reference: REDHAT:RHSA-2013:1537
Reference: http://rhn.redhat.com/errata/RHSA-2013-1537.html
Reference: SECUNIA:55811
Reference: http://secunia.com/advisories/55811

The transform_save function in transform_save in Augeas before 1.0.0 allows local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on a .augsave file in a backup save action, a different vector than CVE-2012-0786.

Comment 1 Tomas Hoger 2013-11-26 20:50:49 UTC
I'm trying to figure out what led Mitre CVE team to split this from CVE-2012-0786 (which is tracked via bug 772257) and consider this separate.  The difference in wording of CVE-2012-0786 and CVE-2012-6607 descriptions is:

  via a symlink attack on a .augnew file

versus:

  via a symlink attack on a .augsave file in a backup save action

I do not find any mentions of the .augsave symlink attack in our bug 772257, upstream commit message, or upstream news.  It seems the most likely that this new CVE was created based on the addition of test-put-symlink-augsave.sh test case as part of upstream commit 16387744:

https://github.com/hercules-team/augeas/commit/16387744#diff-658b06330f5444abf43ff1bf7aa19bd8

However, that test only seems to have been "preventive" rather than "reactive" - there was not symlink attack against .augsave similar to the .augnew one.  .augsave was only created via clone_file().  That function has other issues, covered by separate CVE-2012-0787 (bug 772261).

I used the test-put-symlink-augsave.sh test with unfixed augeas 0.9.0 (previous version used in Red Hat Enterprise Linux 6) and it PASSes.  So I don't believe this CVE-2012-6607 describes any real problem.

Dominic, can you confirm my findings above?

Comment 2 Dominic Cleal 2013-12-02 14:10:38 UTC
(In reply to Tomas Hoger from comment #1)
> I do not find any mentions of the .augsave symlink attack in our bug 772257,
> upstream commit message, or upstream news.  It seems the most likely that
> this new CVE was created based on the addition of
> test-put-symlink-augsave.sh test case as part of upstream commit 16387744:
> 
> https://github.com/hercules-team/augeas/commit/16387744#diff-
> 658b06330f5444abf43ff1bf7aa19bd8
> 
> However, that test only seems to have been "preventive" rather than
> "reactive" - there was not symlink attack against .augsave similar to the
> .augnew one.  .augsave was only created via clone_file().  That function has
> other issues, covered by separate CVE-2012-0787 (bug 772261).
> 
> I used the test-put-symlink-augsave.sh test with unfixed augeas 0.9.0
> (previous version used in Red Hat Enterprise Linux 6) and it PASSes.  So I
> don't believe this CVE-2012-6607 describes any real problem.
> 
> Dominic, can you confirm my findings above?

I agree, I can't find any evidence or remember this issue affecting augsave.  I probably added the test as a preventative measure, just to prove that augsave was safe and would remain safe.

Comment 3 Tomas Hoger 2014-01-16 10:03:54 UTC
As noted above, I do not believe this CVE id refers to any security issue and I believe it was assigned incorrectly.  CVE rejection request:

http://thread.gmane.org/gmane.comp.security.oss.general/11691

Note that the relevant change was included in augeas packages erratum RHSA-2013:1537 for Red Hat Enterprise Linux 6:

https://rhn.redhat.com/errata/RHSA-2013-1537.html

Statement:

Red Hat believes that the flaw described by this CVE never affected augeas and therefore we consider this CVE assignment as invalid. For further details, refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1034243#c1