Debian Bug report logs - #723034
davfs2: CVE-2013-4362: Unsecure use of system()

version graph

Package: davfs2; Maintainer for davfs2 is Luciano Bello <luciano@debian.org>; Source for davfs2 is src:davfs2.

Reported by: Werner Baumann <werner.baumann@onlinehome.de>

Date: Sun, 15 Sep 2013 16:33:02 UTC

Severity: critical

Tags: patch, security, upstream

Found in version davfs2/1.4.6-1.1

Fixed in versions davfs2/1.4.7-3, davfs2/1.4.6-1.1+deb7u1

Done: Luciano Bello <luciano@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://savannah.nongnu.org/bugs/?40034

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Luciano Bello <luciano@debian.org>:
Bug#723034; Package davfs2. (Sun, 15 Sep 2013 16:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Werner Baumann <werner.baumann@onlinehome.de>:
New Bug report received and forwarded. Copy sent to Luciano Bello <luciano@debian.org>. (Sun, 15 Sep 2013 16:33:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Werner Baumann <werner.baumann@onlinehome.de>
To: submit@bugs.debian.org
Subject: Unsecure use of system()
Date: Sun, 15 Sep 2013 18:29:46 +0200
[Message part 1 (text/plain, inline)]
Package: davfs2
Version: 1.4.6-1.1
Severity: critical
Tags: patch, security, upstream

davfs2 calls function system several times. Because davfs2 is setuid
root in many cases this will allow for privilege escalation.

Appended are patches for version 1.4.6 and 1.4.7 that will fix this bug.

Note: as a consequence davfs2 will no longer try to insert required
kernel modules or create device special files /dev/fuse or /dev/codaX.
So the user has to make sure that one of these devices exists before
mounting a davfs2 file system. As far as I can see /dev/fuse is created
by default on Debian systems. davfs2 uses /dev/fuse by default (and
not /dev/codaX). So this bug fix should not cause any problem on Debian
systems.

Werner (upstream maintainer)
[davfs2-1.4.6-system.diff (text/x-patch, attachment)]
[davfs2-1.4.7-system.diff (text/x-patch, attachment)]

Set Bug forwarded-to-address to 'http://savannah.nongnu.org/bugs/?40034'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 17 Sep 2013 15:00:16 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Luciano Bello <luciano@debian.org>:
Bug#723034; Package davfs2. (Wed, 18 Sep 2013 20:51:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Luciano Bello <luciano@debian.org>. (Wed, 18 Sep 2013 20:51:09 GMT) Full text and rfc822 format available.

Message #12 received at 723034@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Werner Baumann <werner.baumann@onlinehome.de>, 723034@bugs.debian.org
Subject: Re: Bug#723034: Unsecure use of system()
Date: Wed, 18 Sep 2013 22:49:07 +0200
Control: retitle -1 davfs2: CVE-2013-4362: Unsecure use of system()

Hi

A CVE was assigned to this issue: CVE-2013-4362.

Regards,
Salvatore



Changed Bug title to 'davfs2: CVE-2013-4362: Unsecure use of system()' from 'Unsecure use of system()' Request was from Salvatore Bonaccorso <carnil@debian.org> to 723034-submit@bugs.debian.org. (Wed, 18 Sep 2013 20:51:09 GMT) Full text and rfc822 format available.

Reply sent to Luciano Bello <luciano@debian.org>:
You have taken responsibility. (Sun, 22 Sep 2013 13:21:09 GMT) Full text and rfc822 format available.

Notification sent to Werner Baumann <werner.baumann@onlinehome.de>:
Bug acknowledged by developer. (Sun, 22 Sep 2013 13:21:09 GMT) Full text and rfc822 format available.

Message #19 received at 723034-close@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: 723034-close@bugs.debian.org
Subject: Bug#723034: fixed in davfs2 1.4.7-3
Date: Sun, 22 Sep 2013 13:18:32 +0000
Source: davfs2
Source-Version: 1.4.7-3

We believe that the bug you reported is fixed in the latest version of
davfs2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated davfs2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 22 Sep 2013 14:24:20 +0200
Source: davfs2
Binary: davfs2
Architecture: source amd64
Version: 1.4.7-3
Distribution: unstable
Urgency: high
Maintainer: Luciano Bello <luciano@debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description: 
 davfs2     - mount a WebDAV resource as a regular file system
Closes: 720811 723034
Changes: 
 davfs2 (1.4.7-3) unstable; urgency=high
 .
   * Fix CVE-2013-4362: Unsecure use of system(). Closes: #723034
   * Compatibility with neon library version 0.30 included. Closes: #720811
   * New Standards-Version: 3.9.4
Checksums-Sha1: 
 3a53ace644fcaa860b6f3fe41567b70caaef4d76 1125 davfs2_1.4.7-3.dsc
 2e8461684bcf78b562fa17b08321d7f7281eb24f 79785 davfs2_1.4.7-3.debian.tar.gz
 5cc4446ee03c05df7a654ee99b14ea5b1e0eb039 141304 davfs2_1.4.7-3_amd64.deb
Checksums-Sha256: 
 d54cf939a1369d83649dd486413852868f6182975f78b81fd50800b366a2101f 1125 davfs2_1.4.7-3.dsc
 fa68ff0babffcfdab148e3263873a06a5a4ad04ed644076590ae6c4ff5b26cb1 79785 davfs2_1.4.7-3.debian.tar.gz
 a0c2e00213ac50c61673acd55c0f9007517524fa818571446d1f1f3ebaf3ca98 141304 davfs2_1.4.7-3_amd64.deb
Files: 
 517ef81dc013611a7b74a4c9f08a948e 1125 utils extra davfs2_1.4.7-3.dsc
 e7e7b1d93db35e9b5b17184f1be0ce24 79785 utils extra davfs2_1.4.7-3.debian.tar.gz
 9d23544d6f61a6155f9a8dddf20d5281 141304 utils extra davfs2_1.4.7-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlI+4ekACgkQQWTRs4lLtHkvwgCgmebrhFYC1NoKplLYwG/DeXEW
Ez8An2RY/Yb8W4AKLQ8d55dCD7jUv8Nx
=C+A/
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Luciano Bello <luciano@debian.org>:
Bug#723034; Package davfs2. (Wed, 25 Sep 2013 19:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Werner Baumann <werner.baumann@onlinehome.de>:
Extra info received and forwarded to list. Copy sent to Luciano Bello <luciano@debian.org>. (Wed, 25 Sep 2013 19:03:05 GMT) Full text and rfc822 format available.

Message #24 received at 723034@bugs.debian.org (full text, mbox):

From: Werner Baumann <werner.baumann@onlinehome.de>
To: 723034@bugs.debian.org
Subject: davfs2: CVE-2013-4362: Unsecure use of system()
Date: Wed, 25 Sep 2013 20:57:51 +0200
[Message part 1 (text/plain, inline)]
There is a stupid error in patchfile davfs2-1.4.6-system.diff which was
submitted by me. Please don't use it.
Appended is the corrected patchfile davfs2-1.4.6-system-2.diff.

Werner
[davfs2-1.4.6-system-2.diff (text/x-patch, attachment)]

Reply sent to Luciano Bello <luciano@debian.org>:
You have taken responsibility. (Sun, 06 Oct 2013 19:06:24 GMT) Full text and rfc822 format available.

Notification sent to Werner Baumann <werner.baumann@onlinehome.de>:
Bug acknowledged by developer. (Sun, 06 Oct 2013 19:06:24 GMT) Full text and rfc822 format available.

Message #29 received at 723034-close@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: 723034-close@bugs.debian.org
Subject: Bug#723034: fixed in davfs2 1.4.6-1.1+deb7u1
Date: Sun, 06 Oct 2013 19:02:04 +0000
Source: davfs2
Source-Version: 1.4.6-1.1+deb7u1

We believe that the bug you reported is fixed in the latest version of
davfs2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated davfs2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 26 Sep 2013 14:19:41 +0200
Source: davfs2
Binary: davfs2
Architecture: source amd64
Version: 1.4.6-1.1+deb7u1
Distribution: stable-security
Urgency: low
Maintainer: Luciano Bello <luciano@debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description: 
 davfs2     - mount a WebDAV resource as a regular file system
Closes: 723034
Changes: 
 davfs2 (1.4.6-1.1+deb7u1) stable-security; urgency=low
 .
   * Fix CVE-2013-4362: Unsecure use of system(). Closes: #723034
Checksums-Sha1: 
 71d83ce914dd591e61c4da7a9afc20e71bf00e3c 1104 davfs2_1.4.6-1.1+deb7u1.dsc
 5cf396d771345a2bf3583c0a7c08d1ab50a38b97 429799 davfs2_1.4.6.orig.tar.gz
 ac45933903f8a9c39699365663b705852d4a04d7 49173 davfs2_1.4.6-1.1+deb7u1.diff.gz
 aa6436ced8887eb8a23a0db799098a13bb22f1b1 157186 davfs2_1.4.6-1.1+deb7u1_amd64.deb
Checksums-Sha256: 
 f1a8cb1a7c3a361a7262f21b1c6b2b66bb4215d985e6166df162bd0a0e3ce64b 1104 davfs2_1.4.6-1.1+deb7u1.dsc
 e07252ec6db38c8f691bf2dada639e8300e058594f47a7c3c45020631621c356 429799 davfs2_1.4.6.orig.tar.gz
 4dfa2bc7bb81e73364e1c7010a773bbf44ddb8e5dbd032861d6bcdf8c13261ad 49173 davfs2_1.4.6-1.1+deb7u1.diff.gz
 6199a9ea155bf6afde3b1bb20bec170f5f94c6b2e6f7e83b88d82ecf72fe8ca0 157186 davfs2_1.4.6-1.1+deb7u1_amd64.deb
Files: 
 c527098c3dd57e73e364b31bdd6acdc5 1104 utils extra davfs2_1.4.6-1.1+deb7u1.dsc
 c9e8aeb15daeba4b6283b40bb640e908 429799 utils extra davfs2_1.4.6.orig.tar.gz
 166c80ee52e1d5a0d860a25716030a07 49173 utils extra davfs2_1.4.6-1.1+deb7u1.diff.gz
 3882314feac8eca600c0ee02a56dec4c 157186 utils extra davfs2_1.4.6-1.1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlJEKSYACgkQQWTRs4lLtHkzOQCgsJRRPzSqgIjgVBWRVleDdOkR
hHgAnRwbVnleRkMI+84DenMl4tOOqfd0
=hUVU
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 04 Nov 2013 07:33:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 08:20:34 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.