A flaw was found in the way the netcf's find_ifcfg_path() function processed certain XPath expressions. An attacker able to supply a specially crafted XML file to an application using netcf could cause that application to crash. Acknowledgements: This issue was discovered by Hao Liu of Red Hat.
augeas-devel mailing list thread, discussing lack of ways to safely include untrusted user-supplied input in path strings used in augeas queries: https://www.redhat.com/archives/augeas-devel/2014-December/msg00000.html
Augeas upstream issue that tracks changes required to completely fix this netcf issue: https://github.com/hercules-team/augeas/pull/198 The changes are: - Addition of new API - aug_escape_name() - which can be used to escape untrusted inputs before using them as part of path expressions passed to APIs as aug_match() or aug_get(). - The aug_match() is changed to return properly escaped output that can be safely passed back to aug_get().
The netcf uses the Augeas library to read network configuration files. It constructs paths to configuration files based on supplied interface name, and uses those paths as arguments for Augeas' aug_match()/aug_get() calls. However, these Augeas APIs do not handle supplied provided paths as static and rather evaluates them as "path expressions", an XPath-like expressions, documented here: https://github.com/hercules-team/augeas/wiki/Path-expressions Augeas does not provide any way to force handling them as static paths rather than evaluating them as path expressions. Before the changes mentioned above, it also did not provide any mechanisms to escape user-supplied inputs before adding them to path expressions. An interface name containing Augeas path expression makes Augeas API call return value netcf does not expect, leading to NULL pointer deference and application crash. As netcf is used by libvirt, this flaw can allow an attacker able to establish read-only connection to libvirt daemon (in the default configuration, any local user) to cause it to crash.
Lifting embargo.
Created netcf tracking bugs for this issue: Affects: fedora-all [bug 1207396] Affects: epel-5 [bug 1207397]
Fixed in netcf 0.2.7: https://git.fedorahosted.org/cgit/netcf.git/tree/NEWS?id=1dd6346 Upstream commits: https://git.fedorahosted.org/cgit/netcf.git/commit/?id=bf3a8c403065201d2ec5838334bb98fc91fd14d8 https://git.fedorahosted.org/cgit/netcf.git/commit/?id=d8146041b5b969d709da4433fead262b51a397d7 https://git.fedorahosted.org/cgit/netcf.git/commit/?id=eae312f5aacae061d468c58196a56f922b15e947 https://git.fedorahosted.org/cgit/netcf.git/commit/?id=2b4ba71272eb9ff244db3f9cb2a787a79cd18b2e https://git.fedorahosted.org/cgit/netcf.git/commit/?id=841cace8c5a12ee9b44ecf9872f27a2f938a396a https://git.fedorahosted.org/cgit/netcf.git/commit/?id=62842370aadb68ae181aeb53522c2411b483abb7 https://git.fedorahosted.org/cgit/netcf.git/commit/?id=2b9f6a4b450548f7f5d8cd85b6bb6f2970e183e0 https://git.fedorahosted.org/cgit/netcf.git/commit/?id=3d961693e98d9b0dc6f649ad598c6c402401c151
netcf-0.2.8-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
netcf-0.2.8-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
netcf-0.2.8-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHBA-2015:1307 https://rhn.redhat.com/errata/RHBA-2015-1307.html
Statement: (none)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2248 https://rhn.redhat.com/errata/RHSA-2015-2248.html