Bug 772257 (CVE-2012-0786) - CVE-2012-0786 augeas: susceptible to symlink attack
Summary: CVE-2012-0786 augeas: susceptible to symlink attack
Alias: CVE-2012-0786
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1005040 1032748 1033395 1033396 1033397
Blocks: 772264 974906
TreeView+ depends on / blocked
Reported: 2012-01-06 15:57 UTC by Vincent Danen
Modified: 2019-09-29 12:49 UTC (History)
23 users (show)

Fixed In Version: augeas 1.0.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-05-02 16:44:59 UTC

Attachments (Terms of Use)
proposed upstream patch (13.37 KB, patch)
2012-01-06 16:23 UTC, Vincent Danen
no flags Details | Diff
Reviewed patch (17.67 KB, patch)
2012-02-07 00:41 UTC, David Lutterkort
no flags Details | Diff
proposed upstream fix #5 (18.39 KB, patch)
2012-02-14 19:32 UTC, Dominic Cleal
no flags Details | Diff
Followup xread_file/fopen fix (1a66739c) (3.64 KB, patch)
2012-07-29 15:23 UTC, Dominic Cleal
no flags Details | Diff
Followup file creation permissions fix (051c73a9) (2.21 KB, patch)
2012-08-11 22:45 UTC, Dominic Cleal
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1537 0 normal SHIPPED_LIVE Low: augeas security, bug fix, and enhancement update 2013-11-21 01:11:37 UTC

Description Vincent Danen 2012-01-06 15:57:59 UTC
Augeas is a configuration management API that represents the contents of config files as a tree in memory for editing, with the edits being written back to the actual file. By default it loads files it understands in a large number of standard system locations (/etc, /boot), but can also open files in a user specified location [1],[2].

It has two save modes of interest, "backup" that keeps the original in PATH.augorig and "newfile" that leaves the file alone, but writes the edited version to PATH.augnew. These can be set via the API [3] or --backup/--new with augtool (CLI tool around the API).

A flaw was found in the current 0.10.0 version and most previous versions.  It requires that the directory containing the file to be edited is writable by another user, so this needs the user to explicitly open a file in another location or for a file in a default location to be in a group/world writable directory.

Augeas always opens PATH.augnew for writing, sets the file modes identically to PATH, writes the file contents and then renames PATH.augnew to PATH.

Creation of a symlink at PATH.augnew will cause the new file contents to be written to the symlink target and then the symlink is moved to PATH. This enables an attacker to get to the file contents in the symlink target and also subvert PATH.

The code's at src/transform.c in transform_save [4].

[1] http://augeas.net/page/Loading_specific_files
[2] https://github.com/raphink/augeas-sandbox/blob/master/augload
[3] http://augeas.net/docs/api.html#saving-the-tree
[4] https://git.fedorahosted.org/cgit/augeas.git/tree/src/transform.c?id=547442f#n885

Comment 1 Vincent Danen 2012-01-06 16:23:58 UTC
Created attachment 551189 [details]
proposed upstream patch

Comment 8 Kurt Seifried 2012-01-20 23:05:09 UTC
Assigned CVE internally and added to alias and title.

Comment 35 Dominic Cleal 2012-02-14 19:32:08 UTC
Created attachment 562023 [details]
proposed upstream fix #5

Comment 37 David Lutterkort 2012-07-19 18:25:59 UTC
Committed as 16387744 upstream

Comment 38 Dominic Cleal 2012-07-29 15:23:24 UTC
Created attachment 601046 [details]
Followup xread_file/fopen fix (1a66739c)

Followup patch that fixes a regression introduced in the xread_file function, where the success of fopen wasn't being checked.  Committed upstream as 1a66739c.

Comment 39 Dominic Cleal 2012-08-11 22:45:01 UTC
Created attachment 603732 [details]
Followup file creation permissions fix (051c73a9)

Another regression, this time for files being created via Augeas (no existing augorig), ensuring their permissions are set according to the umask rather than the 0600 permissions from mkstemp.  Committed upstream as 051c73a9.

Comment 43 Vincent Danen 2013-09-06 05:45:05 UTC
This was fixed in 1.0.0 according to the changelog (http://augeas.net/news.html):

* prevent symlink attacks via .augnew during saving, RedHat bug #772257, CVE-2012-0786

Comment 49 Tomas Hoger 2013-10-28 13:09:52 UTC
(In reply to Vincent Danen from comment #41)
> Upstream commits from 20120729 and 20120811:
> https://git.fedorahosted.org/cgit/augeas.git/commit/?id=051c73a9
> https://git.fedorahosted.org/cgit/augeas.git/commit/?id=1a66739c

Note that the above two commits are follow-up regression fixes (mentioned in comment 38 and comment 39), a real fix for this issue is mentioned in comment 37:


In the meantime, project moved to github, so matching github commit links are:


Comment 51 errata-xmlrpc 2013-11-21 04:47:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1537 https://rhn.redhat.com/errata/RHSA-2013-1537.html

Comment 53 Huzaifa S. Sidhpurwala 2013-11-22 03:07:57 UTC
Created augeas tracking bugs for this issue:

Affects: fedora-all [bug 1033395]
Affects: epel-4 [bug 1033396]
Affects: epel-5 [bug 1033397]

Note You need to log in before you can comment on or make changes to this bug.