Bug#723034: marked as done (davfs2: CVE-2013-4362: Unsecure use of system())

Sun, 22 Sep 2013 06:22:16 -0700 

Your message dated Sun, 22 Sep 2013 13:18:32 +0000
with message-id <e1vnjyw-0003js...@franck.debian.org>
and subject line Bug#723034: fixed in davfs2 1.4.7-3
has caused the Debian Bug report #723034,
regarding davfs2: CVE-2013-4362: Unsecure use of system()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
723034: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723034
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: davfs2
Version: 1.4.6-1.1
Severity: critical
Tags: patch, security, upstream

davfs2 calls function system several times. Because davfs2 is setuid
root in many cases this will allow for privilege escalation.

Appended are patches for version 1.4.6 and 1.4.7 that will fix this bug.

Note: as a consequence davfs2 will no longer try to insert required
kernel modules or create device special files /dev/fuse or /dev/codaX.
So the user has to make sure that one of these devices exists before
mounting a davfs2 file system. As far as I can see /dev/fuse is created
by default on Debian systems. davfs2 uses /dev/fuse by default (and
not /dev/codaX). So this bug fix should not cause any problem on Debian
systems.

Werner (upstream maintainer)

diff -ur davfs2-1.4.6/ChangeLog davfs2-1.4.6.new/ChangeLog
--- davfs2-1.4.6/ChangeLog	2010-04-30 21:17:15.000000000 +0200
+++ davfs2-1.4.6.new/ChangeLog	2013-09-15 11:05:42.000000000 +0200
@@ -1,6 +1,11 @@
 ChangeLog for davfs2
 --------------------
 
+2013-09-08 Werner Baumann (werner.baum...@onlinehome.de)
+    * kernel_interface.c, mount_davfs.c:
+      Don't create /dev/coda and /dev/fuse.
+      Remove insecure calls of system().
+
 2010-04-30 Werner Baumann (werner.baum...@onlinehome.de)
     * Released version 1.4.6
 
Nur in davfs2-1.4.6.new: ChangeLog~.
diff -ur davfs2-1.4.6/src/kernel_interface.c davfs2-1.4.6.new/src/kernel_interface.c
--- davfs2-1.4.6/src/kernel_interface.c	2010-02-16 20:29:54.000000000 +0100
+++ davfs2-1.4.6.new/src/kernel_interface.c	2013-09-15 11:07:07.000000000 +0200
@@ -168,27 +168,6 @@
     }
 
     if (*dev <= 0) {
-        system("/sbin/modprobe coda &>/dev/null");
-        minor = 0;
-        while (*dev <= 0 && minor < MAX_CODADEVS) {
-            char *path;
-            if (asprintf(&path, "%s/%s%i",
-                         DAV_DEV_DIR, CODA_DEV_NAME, minor) < 0)
-                abort();
-            *dev = open(path, O_RDWR | O_NONBLOCK);
-            if (*dev <= 0) {
-                if (mknod(path, S_IFCHR, makedev(CODA_MAJOR, minor)) == 0) {
-                    chown(path, 0, 0);
-                    chmod(path, S_IRUSR | S_IWUSR);
-                    *dev = open(path, O_RDWR | O_NONBLOCK);
-                }
-            }
-            free(path);
-            ++minor;
-        }
-    }
-
-    if (*dev <= 0) {
         error(0, 0, _("no free coda device to mount"));
         return -1;
     }
@@ -223,24 +202,6 @@
             abort();
 
     *dev = open(path, O_RDWR | O_NONBLOCK);
-    if (*dev <= 0) {
-        system("/sbin/modprobe fuse &>/dev/null");
-        *dev = open(path, O_RDWR | O_NONBLOCK);
-    }
-    if (*dev <= 0) {
-        if (mknod(path, S_IFCHR, makedev(FUSE_MAJOR, FUSE_MINOR)) == 0) {
-            chown(path, 0, 0);
-            chmod(path, S_IRUSR | S_IWUSR);
-            *dev = open(path, O_RDWR | O_NONBLOCK);
-        }
-    }
-
-    free(path);
-    if (*dev <= 0) {
-        error(0, 0, _("can't open fuse device"));
-        return -1;
-    }
-
     if (*buf_size < (FUSE_MIN_READ_BUFFER + 4096)) {
         *buf_size = FUSE_MIN_READ_BUFFER + 4096;
     }
Nur in davfs2-1.4.6.new/src: kernel_interface.c~.
diff -ur davfs2-1.4.6/src/mount_davfs.c davfs2-1.4.6.new/src/mount_davfs.c
--- davfs2-1.4.6/src/mount_davfs.c	2010-01-21 19:50:15.000000000 +0100
+++ davfs2-1.4.6.new/src/mount_davfs.c	2013-09-15 11:13:18.000000000 +0200
@@ -170,6 +170,9 @@
 static int
 arg_to_int(const char *arg, int base, const char *opt);
 
+static void
+cp_file(const char *src, const char *dest);
+
 static int
 debug_opts(const char *s);
 
@@ -533,10 +536,7 @@
             char *file_name = ne_concat(path, "/", DAV_CONFIG, NULL);
             if (access(file_name, F_OK) != 0) {
                 char *template = ne_concat(DAV_DATA_DIR, "/", DAV_CONFIG, NULL);
-                char *command = ne_concat("cp ", template, " ", file_name,
-                                          NULL);
-                system(command);
-                free(command);
+                cp_file(template, file_name);
                 free(template);
             }
             free(file_name);
@@ -545,11 +545,7 @@
             if (access(file_name, F_OK) != 0) {
                 char *template = ne_concat(DAV_DATA_DIR, "/", DAV_SECRETS,
                                            NULL);
-                char *command = ne_concat("cp ", template, " ", file_name,
-                                          NULL);
-                if (system(command) == 0)
-                    chmod(file_name, S_IRUSR | S_IWUSR);
-                free(command);
+                cp_file(template, file_name);
                 free(template);
             }
             free(file_name);
@@ -1333,6 +1329,34 @@
 }
 
 
+/* Creates a copy of src with name dest. */
+static void
+cp_file(const char *src, const char *dest)
+{
+    FILE *in = fopen(src, "r");
+    if (!in)
+        error(EXIT_FAILURE, errno, _("can't open file %s"), src);
+
+    FILE *out = fopen(dest, "w");
+    if (!out)
+        error(EXIT_FAILURE, errno, _("can't open file %s"), dest);
+
+    size_t n = 0;
+    char *line = NULL;
+    int length = getline(&line, &n, in);
+    while (length > 0) {
+        if (fputs(line, out) == EOF) 
+            error(EXIT_FAILURE, errno, _("error writing to file %s"), dest);
+        length = getline(&line, &n, in);
+    }
+
+    if (line)
+        free(line);
+    fclose(out);
+    fclose(in);
+}
+
+
 /* Converts a debug option string s into numerical value. If s is not a
    valid debug option, it returns 0. */
 static int
Nur in davfs2-1.4.6.new/src: mount_davfs.c~.

diff -ur davfs2-1.4.7/ChangeLog davfs2-1.4.7.new/ChangeLog
--- davfs2-1.4.7/ChangeLog	2012-07-19 13:37:52.000000000 +0200
+++ davfs2-1.4.7.new/ChangeLog	2013-09-15 10:19:12.000000000 +0200
@@ -1,6 +1,11 @@
 ChangeLog for davfs2
 --------------------
 
+2013-09-08 Werner Baumann (werner.baum...@onlinehome.de)
+    * kernel_interface.c, mount_davfs.c:
+      Don't create /dev/coda and /dev/fuse.
+      Remove insecure calls of system().
+
 2012-07-19 Werner Baumann (werner.baum...@onlinehome.de)
     * Release version 1.4.7.
 
diff -ur davfs2-1.4.7/src/kernel_interface.c davfs2-1.4.7.new/src/kernel_interface.c
--- davfs2-1.4.7/src/kernel_interface.c	2012-07-19 12:58:48.000000000 +0200
+++ davfs2-1.4.7.new/src/kernel_interface.c	2013-09-15 10:15:07.000000000 +0200
@@ -167,29 +167,6 @@
         ++minor;
     }
 
-    if (*dev <= 0 && system("/sbin/modprobe coda &>/dev/null") == 0) {
-        minor = 0;
-        while (*dev <= 0 && minor < MAX_CODADEVS) {
-            char *path;
-            if (asprintf(&path, "%s/%s%i",
-                         DAV_DEV_DIR, CODA_DEV_NAME, minor) < 0)
-                abort();
-            *dev = open(path, O_RDWR | O_NONBLOCK);
-            if (*dev <= 0) {
-                if (mknod(path, S_IFCHR, makedev(CODA_MAJOR, minor)) == 0) {
-                    if (chown(path, 0, 0) == 0
-                            && chmod(path, S_IRUSR | S_IWUSR) == 0) {
-                        *dev = open(path, O_RDWR | O_NONBLOCK);
-                    } else {
-                        remove(path);
-                    }
-                }
-            }
-            free(path);
-            ++minor;
-        }
-    }
-
     if (*dev <= 0) {
         error(0, 0, _("no free coda device to mount"));
         return -1;
@@ -225,20 +202,6 @@
             abort();
 
     *dev = open(path, O_RDWR | O_NONBLOCK);
-    if (*dev <= 0 && system("/sbin/modprobe fuse &>/dev/null") == 0) {
-        *dev = open(path, O_RDWR | O_NONBLOCK);
-    }
-    if (*dev <= 0) {
-        if (mknod(path, S_IFCHR, makedev(FUSE_MAJOR, FUSE_MINOR)) == 0) {
-             if (chown(path, 0, 0) == 0
-                    && chmod(path, S_IRUSR | S_IWUSR) == 0) {
-                *dev = open(path, O_RDWR | O_NONBLOCK);
-            } else {
-                remove(path);
-            }
-        }
-    }
-
     free(path);
     if (*dev <= 0) {
         error(0, 0, _("can't open fuse device"));
diff -ur davfs2-1.4.7/src/mount_davfs.c davfs2-1.4.7.new/src/mount_davfs.c
--- davfs2-1.4.7/src/mount_davfs.c	2012-07-19 13:35:11.000000000 +0200
+++ davfs2-1.4.7.new/src/mount_davfs.c	2013-09-15 10:15:22.000000000 +0200
@@ -170,6 +170,9 @@
 static int
 arg_to_int(const char *arg, int base, const char *opt);
 
+static void
+cp_file(const char *src, const char *dest);
+
 static int
 debug_opts(const char *s);
 
@@ -530,10 +533,7 @@
             char *file_name = ne_concat(path, "/", DAV_CONFIG, NULL);
             if (access(file_name, F_OK) != 0) {
                 char *template = ne_concat(DAV_DATA_DIR, "/", DAV_CONFIG, NULL);
-                char *command = ne_concat("cp ", template, " ", file_name,
-                                          NULL);
-                if (system(command) != 0);
-                free(command);
+                cp_file(template, file_name);
                 free(template);
             }
             free(file_name);
@@ -542,11 +542,7 @@
             if (access(file_name, F_OK) != 0) {
                 char *template = ne_concat(DAV_DATA_DIR, "/", DAV_SECRETS,
                                            NULL);
-                char *command = ne_concat("cp ", template, " ", file_name,
-                                          NULL);
-                if (system(command) == 0)
-                    chmod(file_name, S_IRUSR | S_IWUSR);
-                free(command);
+                cp_file(template, file_name);
                 free(template);
             }
             free(file_name);
@@ -1304,6 +1300,7 @@
    opt    : name of the option, arg belongs to. Used in the error message.
    return value: the value of the integer number in arg */
 static int
+
 arg_to_int(const char *arg, int base, const char *opt)
 {
     char *tail = NULL;
@@ -1325,6 +1322,34 @@
 }
 
 
+/* Creates a copy of src with name dest. */
+static void
+cp_file(const char *src, const char *dest)
+{
+    FILE *in = fopen(src, "r");
+    if (!in)
+        error(EXIT_FAILURE, errno, _("can't open file %s"), src);
+
+    FILE *out = fopen(dest, "w");
+    if (!out)
+        error(EXIT_FAILURE, errno, _("can't open file %s"), dest);
+
+    size_t n = 0;
+    char *line = NULL;
+    int length = getline(&line, &n, in);
+    while (length > 0) {
+        if (fputs(line, out) == EOF) 
+            error(EXIT_FAILURE, errno, _("error writing to file %s"), dest);
+        length = getline(&line, &n, in);
+    }
+
+    if (line)
+        free(line);
+    fclose(out);
+    fclose(in);
+}
+
+
 /* Converts a debug option string s into numerical value. If s is not a
    valid debug option, it returns 0. */
 static int

--- End Message ---
--- Begin Message --- 
Source: davfs2
Source-Version: 1.4.7-3

We believe that the bug you reported is fixed in the latest version of
davfs2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luci...@debian.org> (supplier of updated davfs2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 22 Sep 2013 14:24:20 +0200
Source: davfs2
Binary: davfs2
Architecture: source amd64
Version: 1.4.7-3
Distribution: unstable
Urgency: high
Maintainer: Luciano Bello <luci...@debian.org>
Changed-By: Luciano Bello <luci...@debian.org>
Description: 
 davfs2     - mount a WebDAV resource as a regular file system
Closes: 720811 723034
Changes: 
 davfs2 (1.4.7-3) unstable; urgency=high
 .
   * Fix CVE-2013-4362: Unsecure use of system(). Closes: #723034
   * Compatibility with neon library version 0.30 included. Closes: #720811
   * New Standards-Version: 3.9.4
Checksums-Sha1: 
 3a53ace644fcaa860b6f3fe41567b70caaef4d76 1125 davfs2_1.4.7-3.dsc
 2e8461684bcf78b562fa17b08321d7f7281eb24f 79785 davfs2_1.4.7-3.debian.tar.gz
 5cc4446ee03c05df7a654ee99b14ea5b1e0eb039 141304 davfs2_1.4.7-3_amd64.deb
Checksums-Sha256: 
 d54cf939a1369d83649dd486413852868f6182975f78b81fd50800b366a2101f 1125 
davfs2_1.4.7-3.dsc
 fa68ff0babffcfdab148e3263873a06a5a4ad04ed644076590ae6c4ff5b26cb1 79785 
davfs2_1.4.7-3.debian.tar.gz
 a0c2e00213ac50c61673acd55c0f9007517524fa818571446d1f1f3ebaf3ca98 141304 
davfs2_1.4.7-3_amd64.deb
Files: 
 517ef81dc013611a7b74a4c9f08a948e 1125 utils extra davfs2_1.4.7-3.dsc
 e7e7b1d93db35e9b5b17184f1be0ce24 79785 utils extra davfs2_1.4.7-3.debian.tar.gz
 9d23544d6f61a6155f9a8dddf20d5281 141304 utils extra davfs2_1.4.7-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlI+4ekACgkQQWTRs4lLtHkvwgCgmebrhFYC1NoKplLYwG/DeXEW
Ez8An2RY/Yb8W4AKLQ8d55dCD7jUv8Nx
=C+A/
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to