Bug 1034243 (CVE-2012-6607) - CVE-2012-6607 augeas: symlink attack on a .augsave file
Summary: CVE-2012-6607 augeas: symlink attack on a .augsave file
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2012-6607
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1034246
TreeView+ depends on / blocked
 
Reported: 2013-11-25 13:27 UTC by Ratul Gupta
Modified: 2021-02-17 07:08 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-16 10:03:54 UTC
Embargoed:


Attachments (Terms of Use)

Description Ratul Gupta 2013-11-25 13:27:41 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6607 to
the following vulnerability:

Name: CVE-2012-6607
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6607
Assigned: 20131123
Reference: http://augeas.net/news.html
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=772257
Reference: https://github.com/hercules-team/augeas/commit/16387744
Reference: REDHAT:RHSA-2013:1537
Reference: http://rhn.redhat.com/errata/RHSA-2013-1537.html
Reference: SECUNIA:55811
Reference: http://secunia.com/advisories/55811

The transform_save function in transform_save in Augeas before 1.0.0 allows local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on a .augsave file in a backup save action, a different vector than CVE-2012-0786.

Comment 1 Tomas Hoger 2013-11-26 20:50:49 UTC
I'm trying to figure out what led Mitre CVE team to split this from CVE-2012-0786 (which is tracked via bug 772257) and consider this separate.  The difference in wording of CVE-2012-0786 and CVE-2012-6607 descriptions is:

  via a symlink attack on a .augnew file

versus:

  via a symlink attack on a .augsave file in a backup save action

I do not find any mentions of the .augsave symlink attack in our bug 772257, upstream commit message, or upstream news.  It seems the most likely that this new CVE was created based on the addition of test-put-symlink-augsave.sh test case as part of upstream commit 16387744:

https://github.com/hercules-team/augeas/commit/16387744#diff-658b06330f5444abf43ff1bf7aa19bd8

However, that test only seems to have been "preventive" rather than "reactive" - there was not symlink attack against .augsave similar to the .augnew one.  .augsave was only created via clone_file().  That function has other issues, covered by separate CVE-2012-0787 (bug 772261).

I used the test-put-symlink-augsave.sh test with unfixed augeas 0.9.0 (previous version used in Red Hat Enterprise Linux 6) and it PASSes.  So I don't believe this CVE-2012-6607 describes any real problem.

Dominic, can you confirm my findings above?

Comment 2 Dominic Cleal 2013-12-02 14:10:38 UTC
(In reply to Tomas Hoger from comment #1)
> I do not find any mentions of the .augsave symlink attack in our bug 772257,
> upstream commit message, or upstream news.  It seems the most likely that
> this new CVE was created based on the addition of
> test-put-symlink-augsave.sh test case as part of upstream commit 16387744:
> 
> https://github.com/hercules-team/augeas/commit/16387744#diff-
> 658b06330f5444abf43ff1bf7aa19bd8
> 
> However, that test only seems to have been "preventive" rather than
> "reactive" - there was not symlink attack against .augsave similar to the
> .augnew one.  .augsave was only created via clone_file().  That function has
> other issues, covered by separate CVE-2012-0787 (bug 772261).
> 
> I used the test-put-symlink-augsave.sh test with unfixed augeas 0.9.0
> (previous version used in Red Hat Enterprise Linux 6) and it PASSes.  So I
> don't believe this CVE-2012-6607 describes any real problem.
> 
> Dominic, can you confirm my findings above?

I agree, I can't find any evidence or remember this issue affecting augsave.  I probably added the test as a preventative measure, just to prove that augsave was safe and would remain safe.

Comment 3 Tomas Hoger 2014-01-16 10:03:54 UTC
As noted above, I do not believe this CVE id refers to any security issue and I believe it was assigned incorrectly.  CVE rejection request:

http://thread.gmane.org/gmane.comp.security.oss.general/11691

Note that the relevant change was included in augeas packages erratum RHSA-2013:1537 for Red Hat Enterprise Linux 6:

https://rhn.redhat.com/errata/RHSA-2013-1537.html

Statement:

Red Hat believes that the flaw described by this CVE never affected augeas and therefore we consider this CVE assignment as invalid. For further details, refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1034243#c1


Note You need to log in before you can comment on or make changes to this bug.