Bug 772257 (CVE-2012-0786)

Summary: CVE-2012-0786 augeas: susceptible to symlink attack
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aortega, apevec, ayoung, bfan, chrisw, dallan, dcleal, gkotton, hbrock, iheim, leiwang, lhh, markmc, prc, rbryant, rhos-maint, sclewis, security-response-team, slong, thoger, vdanen, wshi, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120811,reported=20120105,source=redhat,cvss2=3.3/AV:L/AC:M/Au:N/C:P/I:P/A:N,rhel-6/augeas=affected,fedora-all/augeas=affected,epel-4/augeas=wontfix,epel-5/augeas=affected,openstack-3/augeas=affected
Fixed In Version: augeas 1.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-02 12:44:59 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1005040, 1032748, 1033395, 1033396, 1033397    
Bug Blocks: 772264, 974906    
Description Flags
proposed upstream patch
Reviewed patch
proposed upstream fix #5
Followup xread_file/fopen fix (1a66739c)
Followup file creation permissions fix (051c73a9) none

Description Vincent Danen 2012-01-06 10:57:59 EST
Augeas is a configuration management API that represents the contents of config files as a tree in memory for editing, with the edits being written back to the actual file. By default it loads files it understands in a large number of standard system locations (/etc, /boot), but can also open files in a user specified location [1],[2].

It has two save modes of interest, "backup" that keeps the original in PATH.augorig and "newfile" that leaves the file alone, but writes the edited version to PATH.augnew. These can be set via the API [3] or --backup/--new with augtool (CLI tool around the API).

A flaw was found in the current 0.10.0 version and most previous versions.  It requires that the directory containing the file to be edited is writable by another user, so this needs the user to explicitly open a file in another location or for a file in a default location to be in a group/world writable directory.

Augeas always opens PATH.augnew for writing, sets the file modes identically to PATH, writes the file contents and then renames PATH.augnew to PATH.

Creation of a symlink at PATH.augnew will cause the new file contents to be written to the symlink target and then the symlink is moved to PATH. This enables an attacker to get to the file contents in the symlink target and also subvert PATH.

The code's at src/transform.c in transform_save [4].

[1] http://augeas.net/page/Loading_specific_files
[2] https://github.com/raphink/augeas-sandbox/blob/master/augload
[3] http://augeas.net/docs/api.html#saving-the-tree
[4] https://git.fedorahosted.org/cgit/augeas.git/tree/src/transform.c?id=547442f#n885
Comment 1 Vincent Danen 2012-01-06 11:23:58 EST
Created attachment 551189 [details]
proposed upstream patch
Comment 8 Kurt Seifried 2012-01-20 18:05:09 EST
Assigned CVE internally and added to alias and title.
Comment 35 Dominic Cleal 2012-02-14 14:32:08 EST
Created attachment 562023 [details]
proposed upstream fix #5
Comment 37 David Lutterkort 2012-07-19 14:25:59 EDT
Committed as 16387744 upstream
Comment 38 Dominic Cleal 2012-07-29 11:23:24 EDT
Created attachment 601046 [details]
Followup xread_file/fopen fix (1a66739c)

Followup patch that fixes a regression introduced in the xread_file function, where the success of fopen wasn't being checked.  Committed upstream as 1a66739c.
Comment 39 Dominic Cleal 2012-08-11 18:45:01 EDT
Created attachment 603732 [details]
Followup file creation permissions fix (051c73a9)

Another regression, this time for files being created via Augeas (no existing augorig), ensuring their permissions are set according to the umask rather than the 0600 permissions from mkstemp.  Committed upstream as 051c73a9.
Comment 43 Vincent Danen 2013-09-06 01:45:05 EDT
This was fixed in 1.0.0 according to the changelog (http://augeas.net/news.html):

* prevent symlink attacks via .augnew during saving, RedHat bug #772257, CVE-2012-0786
Comment 49 Tomas Hoger 2013-10-28 09:09:52 EDT
(In reply to Vincent Danen from comment #41)
> Upstream commits from 20120729 and 20120811:
> https://git.fedorahosted.org/cgit/augeas.git/commit/?id=051c73a9
> https://git.fedorahosted.org/cgit/augeas.git/commit/?id=1a66739c

Note that the above two commits are follow-up regression fixes (mentioned in comment 38 and comment 39), a real fix for this issue is mentioned in comment 37:


In the meantime, project moved to github, so matching github commit links are:

Comment 51 errata-xmlrpc 2013-11-20 23:47:32 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1537 https://rhn.redhat.com/errata/RHSA-2013-1537.html
Comment 53 Huzaifa S. Sidhpurwala 2013-11-21 22:07:57 EST
Created augeas tracking bugs for this issue:

Affects: fedora-all [bug 1033395]
Affects: epel-4 [bug 1033396]
Affects: epel-5 [bug 1033397]