Bug 772257 (CVE-2012-0786)

Summary: CVE-2012-0786 augeas: susceptible to symlink attack
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aortega, apevec, ayoung, bfan, chrisw, dallan, dcleal, gkotton, hbrock, iheim, leiwang, lhh, markmc, prc, rbryant, rhos-maint, sclewis, security-response-team, slong, thoger, vdanen, wshi, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: augeas 1.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-02 16:44:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1005040, 1032748, 1033395, 1033396, 1033397    
Bug Blocks: 772264, 974906    
Attachments:
Description Flags
proposed upstream patch
none
Reviewed patch
none
proposed upstream fix #5
none
Followup xread_file/fopen fix (1a66739c)
none
Followup file creation permissions fix (051c73a9) none

Description Vincent Danen 2012-01-06 15:57:59 UTC
Augeas is a configuration management API that represents the contents of config files as a tree in memory for editing, with the edits being written back to the actual file. By default it loads files it understands in a large number of standard system locations (/etc, /boot), but can also open files in a user specified location [1],[2].

It has two save modes of interest, "backup" that keeps the original in PATH.augorig and "newfile" that leaves the file alone, but writes the edited version to PATH.augnew. These can be set via the API [3] or --backup/--new with augtool (CLI tool around the API).

A flaw was found in the current 0.10.0 version and most previous versions.  It requires that the directory containing the file to be edited is writable by another user, so this needs the user to explicitly open a file in another location or for a file in a default location to be in a group/world writable directory.

Augeas always opens PATH.augnew for writing, sets the file modes identically to PATH, writes the file contents and then renames PATH.augnew to PATH.

Creation of a symlink at PATH.augnew will cause the new file contents to be written to the symlink target and then the symlink is moved to PATH. This enables an attacker to get to the file contents in the symlink target and also subvert PATH.

The code's at src/transform.c in transform_save [4].

[1] http://augeas.net/page/Loading_specific_files
[2] https://github.com/raphink/augeas-sandbox/blob/master/augload
[3] http://augeas.net/docs/api.html#saving-the-tree
[4] https://git.fedorahosted.org/cgit/augeas.git/tree/src/transform.c?id=547442f#n885

Comment 1 Vincent Danen 2012-01-06 16:23:58 UTC
Created attachment 551189 [details]
proposed upstream patch

Comment 8 Kurt Seifried 2012-01-20 23:05:09 UTC
Assigned CVE internally and added to alias and title.

Comment 35 Dominic Cleal 2012-02-14 19:32:08 UTC
Created attachment 562023 [details]
proposed upstream fix #5

Comment 37 David Lutterkort 2012-07-19 18:25:59 UTC
Committed as 16387744 upstream

Comment 38 Dominic Cleal 2012-07-29 15:23:24 UTC
Created attachment 601046 [details]
Followup xread_file/fopen fix (1a66739c)

Followup patch that fixes a regression introduced in the xread_file function, where the success of fopen wasn't being checked.  Committed upstream as 1a66739c.

Comment 39 Dominic Cleal 2012-08-11 22:45:01 UTC
Created attachment 603732 [details]
Followup file creation permissions fix (051c73a9)

Another regression, this time for files being created via Augeas (no existing augorig), ensuring their permissions are set according to the umask rather than the 0600 permissions from mkstemp.  Committed upstream as 051c73a9.

Comment 43 Vincent Danen 2013-09-06 05:45:05 UTC
This was fixed in 1.0.0 according to the changelog (http://augeas.net/news.html):

* prevent symlink attacks via .augnew during saving, RedHat bug #772257, CVE-2012-0786

Comment 49 Tomas Hoger 2013-10-28 13:09:52 UTC
(In reply to Vincent Danen from comment #41)
> Upstream commits from 20120729 and 20120811:
> 
> https://git.fedorahosted.org/cgit/augeas.git/commit/?id=051c73a9
> https://git.fedorahosted.org/cgit/augeas.git/commit/?id=1a66739c

Note that the above two commits are follow-up regression fixes (mentioned in comment 38 and comment 39), a real fix for this issue is mentioned in comment 37:

https://git.fedorahosted.org/cgit/augeas.git/commit/?id=16387744

In the meantime, project moved to github, so matching github commit links are:

https://github.com/hercules-team/augeas/commit/16387744
https://github.com/hercules-team/augeas/commit/1a66739c
https://github.com/hercules-team/augeas/commit/051c73a9

Comment 51 errata-xmlrpc 2013-11-21 04:47:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1537 https://rhn.redhat.com/errata/RHSA-2013-1537.html

Comment 53 Huzaifa S. Sidhpurwala 2013-11-22 03:07:57 UTC
Created augeas tracking bugs for this issue:

Affects: fedora-all [bug 1033395]
Affects: epel-4 [bug 1033396]
Affects: epel-5 [bug 1033397]