Bug 1034261 (CVE-2013-6412)
Summary: | CVE-2013-6412 augeas: incorrect permissions set on newly created files | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | apevec, apevec, chrisw, gkotton, lhh, lutter, markmc, rbryant, rhs-bugs, sclewis, srevivo |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-20 10:41:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1036079, 1036080, 1036081, 1036082, 1036083, 1054129, 1058938 | ||
Bug Blocks: | 1034264 |
Description
Tomas Hoger
2013-11-25 14:05:59 UTC
I would fix this by changing the second arg to fchmod on line 1105 to '0666 - curumsk & 0666' - do you think that is sufficient as a fix here ? (In reply to lutter from comment #1) > I would fix this by changing the second arg to fchmod on line 1105 to '0666 > - curumsk & 0666' - do you think that is sufficient as a fix here ? Or 0666 & ~curumask I think. This issue only affects augeas packages in Red Hat Enterprise Linux 6 as of RHSA-2013:1537 (augeas-1.0.0-5.el6), released as part of Red Hat Enterprise Linux 6.5, which is the update that corrected CVE-2012-0786 and introduced this problem - see bug 772257 comment 51. augeas packages in older Red Hat Enterprise Linux 6 versions are not affected. Assigning CVE-2013-6412. Created augeas tracking bugs for this issue: Affects: fedora-all [bug 1036082] Affects: epel-5 [bug 1036083] Patch submitted, pending review: https://github.com/hercules-team/augeas/pull/58 Merged upstream: https://github.com/hercules-team/augeas/commit/f5b4fc0c Acknowledgment: This issue was discovered by the Red Hat Security Response Team. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0044 https://rhn.redhat.com/errata/RHSA-2014-0044.html augeas-1.2.0-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. augeas-1.2.0-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. augeas-1.2.0-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |