Augeas is a configuration management API that represents the contents of config files as a tree in memory for editing, with the edits being written back to the actual file. By default it loads files it understands in a large number of standard system locations (/etc, /boot), but can also open files in a user specified location [1],[2]. It has two save modes of interest, "backup" that keeps the original in PATH.augorig and "newfile" that leaves the file alone, but writes the edited version to PATH.augnew. These can be set via the API [3] or --backup/--new with augtool (CLI tool around the API). A flaw was found in the current 0.10.0 version and most previous versions. It requires that the directory containing the file to be edited is writable by another user, so this needs the user to explicitly open a file in another location or for a file in a default location to be in a group/world writable directory. Augeas always opens PATH.augnew for writing, sets the file modes identically to PATH, writes the file contents and then renames PATH.augnew to PATH. Creation of a symlink at PATH.augnew will cause the new file contents to be written to the symlink target and then the symlink is moved to PATH. This enables an attacker to get to the file contents in the symlink target and also subvert PATH. The code's at src/transform.c in transform_save [4]. [1] http://augeas.net/page/Loading_specific_files [2] https://github.com/raphink/augeas-sandbox/blob/master/augload [3] http://augeas.net/docs/api.html#saving-the-tree [4] https://git.fedorahosted.org/cgit/augeas.git/tree/src/transform.c?id=547442f#n885
Created attachment 551189 [details] proposed upstream patch
Assigned CVE internally and added to alias and title.
Created attachment 562023 [details] proposed upstream fix #5
Committed as 16387744 upstream
Created attachment 601046 [details] Followup xread_file/fopen fix (1a66739c) Followup patch that fixes a regression introduced in the xread_file function, where the success of fopen wasn't being checked. Committed upstream as 1a66739c.
Created attachment 603732 [details] Followup file creation permissions fix (051c73a9) Another regression, this time for files being created via Augeas (no existing augorig), ensuring their permissions are set according to the umask rather than the 0600 permissions from mkstemp. Committed upstream as 051c73a9.
Upstream commits from 20120729 and 20120811: https://git.fedorahosted.org/cgit/augeas.git/commit/?id=051c73a9 https://git.fedorahosted.org/cgit/augeas.git/commit/?id=1a66739c
This was fixed in 1.0.0 according to the changelog (http://augeas.net/news.html): * prevent symlink attacks via .augnew during saving, RedHat bug #772257, CVE-2012-0786
(In reply to Vincent Danen from comment #41) > Upstream commits from 20120729 and 20120811: > > https://git.fedorahosted.org/cgit/augeas.git/commit/?id=051c73a9 > https://git.fedorahosted.org/cgit/augeas.git/commit/?id=1a66739c Note that the above two commits are follow-up regression fixes (mentioned in comment 38 and comment 39), a real fix for this issue is mentioned in comment 37: https://git.fedorahosted.org/cgit/augeas.git/commit/?id=16387744 In the meantime, project moved to github, so matching github commit links are: https://github.com/hercules-team/augeas/commit/16387744 https://github.com/hercules-team/augeas/commit/1a66739c https://github.com/hercules-team/augeas/commit/051c73a9
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1537 https://rhn.redhat.com/errata/RHSA-2013-1537.html
Created augeas tracking bugs for this issue: Affects: fedora-all [bug 1033395] Affects: epel-4 [bug 1033396] Affects: epel-5 [bug 1033397]