Debian Bug report logs - #739536
xfe: CVE-2014-2079: directory masks ignored when creating new files on Samba and NFS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Robert Rottscholl <devel@rinx.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: xfe: File New sets inappropriate permissions in ACL enabled directories (re-submitted for upstream)

Date: Wed, 19 Feb 2014 20:04:26 +0100

[Message part 1 (text/plain, inline)]

Package: xfe
Version: 1.32.5-2
Severity: normal
Tags: patch upstream

I'm re-submitting this to upstream and I kindly ask the maintainer to fix
this in stable and re-upload the fixed package.

Lately, I was playing around with ACLs on Samba and NFS shares when I
discoved that the 'File New' dialog always creates files with the mask of   
the user (default 0022), instead of applying the rights determined by the   
default ACL set on the particular directory (wich is the default behavior       
of 'touch'). This is problematic because the admin sets ACLs because he/she 
most likely wants to restrict foreign access to this file and the default   
behavior of xfe ignores this, giving unpreviliged users read access in      
possibly right sensitive areas (e.g. xfe invoked by root and creating a new 
file and afterwards adding a private key to it). Furthermore, changing the  
default umask can expand the problem to a more severe security impact.    
    
The problem could be reproduced in stable (wheezy), testing (jessie) and 
unstable (sid) also with local ACLs. The responsible code is located in     
function FilePanel::onCmdNewFile in FilePanel.cpp (lines 2763-2775 in       
version 1.32.5-2 [stable]; 2944-2956 in version 1.37-1 [testing, unstable]).

The attached patches fix this vulnerability in all versions by removing
these lines and thus restore the linux default bevahior. Intense testing
of the patched version showed no recurrence of the issue. 

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13.1 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xfe depends on:
ii  libc6         2.13-38+deb7u1
ii  libfox-1.6-0  1.6.45-1
ii  libfreetype6  2.4.9-1.1
ii  libgcc1       1:4.7.2-5
ii  libpng12-0    1.2.49-1
ii  libstdc++6    4.7.2-5
ii  libx11-6      2:1.5.0-1+deb7u1
ii  libxft2       2.3.1-1
ii  xfe-themes    1.32.5-2lv4261
ii  zlib1g        1:1.2.7.dfsg-13

Versions of packages xfe recommends:
ii  audacious  3.2.4-1
ii  xarchiver  1:0.5.2+20090319+dfsg-4.1
ii  xfe-i18n   1.32.5-2lv4261
ii  xterm      278-4

Versions of packages xfe suggests:
ii  rpm      4.10.0-5+deb7u1
pn  xine-ui  <none>
pn  xpdf     <none>

-- no debconf information

[14_remove_chmod_on_file_new_1.35.2-2.patch (text/x-diff, attachment)]

[14_remove_chmod_on_file_new_v1.37-1.patch (text/x-diff, attachment)]

Message #12 received at 739536@bugs.debian.org (full text, mbox, reply):

From: Joachim Wiedorn <ad_debian@joonet.de>

To: Robert Rottscholl <devel@rinx.de>, 739536@bugs.debian.org

Subject: Re: Bug#739536: xfe: File New sets inappropriate permissions in ACL enabled directories (re-submitted for upstream)

Date: Fri, 21 Feb 2014 20:31:03 +0100

[Message part 1 (text/plain, inline)]

Hello Robert,

thanks for this report. It is a pain for me, too, that ACL will be
ignored. I will test your patch and hope upstream agree with this patch.

Have a nice day.
Joachim (Germany)

[signature.asc (application/pgp-signature, attachment)]

Message #17 received at 739536@bugs.debian.org (full text, mbox, reply):

From: Murray McAllister <mmcallis@redhat.com>

To: oss-security@lists.openwall.com

Cc: 739536@bugs.debian.org

Subject: xfe: directory masks ignored when creating new files on Samba and NFS

Date: Mon, 24 Feb 2014 16:41:15 +1100

Hello,

Robert Rottscholl reported that when creating a new file via X File 
Explorer (xfe) on a Samba or NFS share, the user's mask was used for the 
permissions instead of that specified by the Samba or NFS configuration. 
Full details and patches are available from the following:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739536

From brief testing on Fedora with Samba and the "create mask" smb.conf 
option, this issue only presented when running xfe as the root user. The 
intended mask was used when running xfe as an unprivileged user. I don't 
the equivalent NFS option.

Can a CVE please be assigned if one has not been already?

Thanks,

--
Murray McAllister / Red Hat Security Response Team

https://bugzilla.redhat.com/show_bug.cgi?id=1069066

Message #22 received at 739536@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: mmcallis@redhat.com

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, 739536@bugs.debian.org

Subject: Re: xfe: directory masks ignored when creating new files on Samba and NFS

Date: Mon, 24 Feb 2014 09:05:41 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739536

> From brief testing on Fedora with Samba and the "create mask" smb.conf 
> option, this issue only presented when running xfe as the root user. The 
> intended mask was used when running xfe as an unprivileged user.

This seems to be an implementation error. It seems extremely unlikely
that this type of product would want to provide "weaker than normal"
file restrictions only in the special case of files created by root.

Use CVE-2014-2079.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTC0/qAAoJEKllVAevmvms3wUIAMcSqFbqmazX+KGiKmLFovm6
sRzXXyn49eBJ59fabqQx6eE1As5GeUolx35N+oe7O+U+XwRHdxGLcp5KoL4cxigq
TVvsLqtJGMyVEXKPLlqWlXyCAMhdGL4VzYTvdqbR+e8aRyZGNPn0Mt5sQ3hf+xck
mMK0AGFdRp89pVraZALMXfY4r5z331TOOfWThPnMKbWa1NzNrfoBaqbamO8BiRNF
oy94rzrPNUfgu5mYvvZtQCKyFRQKr0eB3jkb0Bq8p+spSZvWKSV1sxZbxTU55izh
0FtWgEH3yYJGq2DBrSJl/O5Q2uqbO9vrU3TwNdWTTkChYvUAYMHVXtUbjP1cw5A=
=LIWq
-----END PGP SIGNATURE-----

Message #31 received at 739536-close@bugs.debian.org (full text, mbox, reply):

From: Joachim Wiedorn <ad_debian@joonet.de>

To: 739536-close@bugs.debian.org

Subject: Bug#739536: fixed in xfe 1.37-2

Date: Mon, 29 Sep 2014 09:28:05 +0000

Source: xfe
Source-Version: 1.37-2

We believe that the bug you reported is fixed in the latest version of
xfe, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 739536@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joachim Wiedorn <ad_debian@joonet.de> (supplier of updated xfe package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 29 Sep 2014 09:42:22 +0200
Source: xfe
Binary: xfe xfe-i18n xfe-themes
Architecture: all amd64 i386 source
Version: 1.37-2
Distribution: unstable
Urgency: medium
Maintainer: Joachim Wiedorn <ad_debian@joonet.de>
Changed-By: Joachim Wiedorn <ad_debian@joonet.de>
Closes: 728006 739536
Description: 
 xfe-i18n   - lightweight file manager for X11 (i18n support)
 xfe        - lightweight file manager for X11
 xfe-themes - lightweight file manager for X11 (themes)
Changes:
 xfe (1.37-2) unstable; urgency=medium
 .
   * Fix: Umask failure as root (CVE-2014-2079). Closes: #739536
   * Fix: Typo in German translation of archive suffixes.
   * Fix: use dh-autoreconf for better support for AArch64 architecture
          as a more general solution (updating aclocal.m4 and configure
          file).  Closes: #728006
   * Fix: Add Exec options to .desktop files (lintian warnings).
Checksums-Sha1: 
 fa8122697ff930e04a7c5850274d9b431ce6331a 785920 xfe_1.37-2_amd64.deb
 9d97a772034e2ab8e27b04b3dcf9d125072d2d02 1341 xfe_1.37-2.dsc
 14b38ffdd00d3e91ba4d9c7cfd4967191aec84c4 28236 xfe_1.37-2.debian.tar.xz
 9584d96512d4780283f6f4812e360c441f34da71 791122 xfe_1.37-2_i386.deb
 f37b6e363e220942ddf904232cddcf34ea97aa51 262052 xfe-i18n_1.37-2_all.deb
 dd67a77fd25d6a9f5351f3f5aa797c893bc1dad3 514456 xfe-themes_1.37-2_all.deb
Checksums-Sha256: 
 c8993eca4fe2bd2d79b8e796d3c3cb1a4c80b0002a6285b0d31f872e8ee2f734 785920 xfe_1.37-2_amd64.deb
 515dc39b6f4b9882bb09f689197d07c880aa1cdc08b6ea6be3c374d031e24fd9 1341 xfe_1.37-2.dsc
 c42b0fdb5ab939895b096a48a146c5d9d4b364b17e6717e8cc00623f2f715ebb 28236 xfe_1.37-2.debian.tar.xz
 c7a9b855573aa10a5e623b95942cdf91619aba31eb253923e6e80808cde9c6ec 791122 xfe_1.37-2_i386.deb
 3c92d9289db03440b95f9949d8cd537a95870e5340cb23a37aa150740bce190d 262052 xfe-i18n_1.37-2_all.deb
 47e116b08b15741918b2e88e7942fb5c24cd721cee74f6a0439c112a7551b871 514456 xfe-themes_1.37-2_all.deb
Files: 
 a81c68529c6662cd3b41a229a04ddf51 785920 x11 optional xfe_1.37-2_amd64.deb
 2334bbcb8dd835e48229e3cc4a1d9080 791122 x11 optional xfe_1.37-2_i386.deb
 7c99b28bd1b29e41c0b495e772a99d53 262052 localization optional xfe-i18n_1.37-2_all.deb
 b954669c96e115a731a0905b624ec802 514456 x11 optional xfe-themes_1.37-2_all.deb
 c96b4e15904fed82f642db799458f5f2 1341 x11 optional xfe_1.37-2.dsc
 884711ee7030f4b1810a5922164f5638 28236 x11 optional xfe_1.37-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQpE2oACgkQSiJUZB/hsIv+lACgioaGgzXUzGq7UoeZzoQTXZe9
KAwAn0j4oQfZDJZobXWG9eBgxuU430DU
=uvnN
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.