Bug 772257 - (CVE-2012-0786) CVE-2012-0786 augeas: susceptible to symlink attack
CVE-2012-0786 augeas: susceptible to symlink attack
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120811,reported=2...
: Security
Depends On: 1005040 1032748 1033395 1033396 1033397
Blocks: 772264 974906
  Show dependency treegraph
 
Reported: 2012-01-06 10:57 EST by Vincent Danen
Modified: 2016-04-26 15:40 EDT (History)
23 users (show)

See Also:
Fixed In Version: augeas 1.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-05-02 12:44:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed upstream patch (13.37 KB, patch)
2012-01-06 11:23 EST, Vincent Danen
no flags Details | Diff
Reviewed patch (17.67 KB, patch)
2012-02-06 19:41 EST, David Lutterkort
no flags Details | Diff
proposed upstream fix #5 (18.39 KB, patch)
2012-02-14 14:32 EST, Dominic Cleal
no flags Details | Diff
Followup xread_file/fopen fix (1a66739c) (3.64 KB, patch)
2012-07-29 11:23 EDT, Dominic Cleal
no flags Details | Diff
Followup file creation permissions fix (051c73a9) (2.21 KB, patch)
2012-08-11 18:45 EDT, Dominic Cleal
no flags Details | Diff

  None (edit)
Description Vincent Danen 2012-01-06 10:57:59 EST
Augeas is a configuration management API that represents the contents of config files as a tree in memory for editing, with the edits being written back to the actual file. By default it loads files it understands in a large number of standard system locations (/etc, /boot), but can also open files in a user specified location [1],[2].

It has two save modes of interest, "backup" that keeps the original in PATH.augorig and "newfile" that leaves the file alone, but writes the edited version to PATH.augnew. These can be set via the API [3] or --backup/--new with augtool (CLI tool around the API).

A flaw was found in the current 0.10.0 version and most previous versions.  It requires that the directory containing the file to be edited is writable by another user, so this needs the user to explicitly open a file in another location or for a file in a default location to be in a group/world writable directory.

Augeas always opens PATH.augnew for writing, sets the file modes identically to PATH, writes the file contents and then renames PATH.augnew to PATH.

Creation of a symlink at PATH.augnew will cause the new file contents to be written to the symlink target and then the symlink is moved to PATH. This enables an attacker to get to the file contents in the symlink target and also subvert PATH.

The code's at src/transform.c in transform_save [4].

[1] http://augeas.net/page/Loading_specific_files
[2] https://github.com/raphink/augeas-sandbox/blob/master/augload
[3] http://augeas.net/docs/api.html#saving-the-tree
[4] https://git.fedorahosted.org/cgit/augeas.git/tree/src/transform.c?id=547442f#n885
Comment 1 Vincent Danen 2012-01-06 11:23:58 EST
Created attachment 551189 [details]
proposed upstream patch
Comment 8 Kurt Seifried 2012-01-20 18:05:09 EST
Assigned CVE internally and added to alias and title.
Comment 35 Dominic Cleal 2012-02-14 14:32:08 EST
Created attachment 562023 [details]
proposed upstream fix #5
Comment 37 David Lutterkort 2012-07-19 14:25:59 EDT
Committed as 16387744 upstream
Comment 38 Dominic Cleal 2012-07-29 11:23:24 EDT
Created attachment 601046 [details]
Followup xread_file/fopen fix (1a66739c)

Followup patch that fixes a regression introduced in the xread_file function, where the success of fopen wasn't being checked.  Committed upstream as 1a66739c.
Comment 39 Dominic Cleal 2012-08-11 18:45:01 EDT
Created attachment 603732 [details]
Followup file creation permissions fix (051c73a9)

Another regression, this time for files being created via Augeas (no existing augorig), ensuring their permissions are set according to the umask rather than the 0600 permissions from mkstemp.  Committed upstream as 051c73a9.
Comment 43 Vincent Danen 2013-09-06 01:45:05 EDT
This was fixed in 1.0.0 according to the changelog (http://augeas.net/news.html):

* prevent symlink attacks via .augnew during saving, RedHat bug #772257, CVE-2012-0786
Comment 49 Tomas Hoger 2013-10-28 09:09:52 EDT
(In reply to Vincent Danen from comment #41)
> Upstream commits from 20120729 and 20120811:
> 
> https://git.fedorahosted.org/cgit/augeas.git/commit/?id=051c73a9
> https://git.fedorahosted.org/cgit/augeas.git/commit/?id=1a66739c

Note that the above two commits are follow-up regression fixes (mentioned in comment 38 and comment 39), a real fix for this issue is mentioned in comment 37:

https://git.fedorahosted.org/cgit/augeas.git/commit/?id=16387744

In the meantime, project moved to github, so matching github commit links are:

https://github.com/hercules-team/augeas/commit/16387744
https://github.com/hercules-team/augeas/commit/1a66739c
https://github.com/hercules-team/augeas/commit/051c73a9
Comment 51 errata-xmlrpc 2013-11-20 23:47:32 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1537 https://rhn.redhat.com/errata/RHSA-2013-1537.html
Comment 53 Huzaifa S. Sidhpurwala 2013-11-21 22:07:57 EST
Created augeas tracking bugs for this issue:

Affects: fedora-all [bug 1033395]
Affects: epel-4 [bug 1033396]
Affects: epel-5 [bug 1033397]

Note You need to log in before you can comment on or make changes to this bug.