low
3.3
CWE
59
Advisory Published
CVE Published
Updated

CVE-2012-0786

First published: Fri Jan 06 2012(Updated: )

Augeas is a configuration management API that represents the contents of config files as a tree in memory for editing, with the edits being written back to the actual file. By default it loads files it understands in a large number of standard system locations (/etc, /boot), but can also open files in a user specified location [1],[2]. It has two save modes of interest, "backup" that keeps the original in PATH.augorig and "newfile" that leaves the file alone, but writes the edited version to PATH.augnew. These can be set via the API [3] or --backup/--new with augtool (CLI tool around the API). A flaw was found in the current 0.10.0 version and most previous versions. It requires that the directory containing the file to be edited is writable by another user, so this needs the user to explicitly open a file in another location or for a file in a default location to be in a group/world writable directory. Augeas always opens PATH.augnew for writing, sets the file modes identically to PATH, writes the file contents and then renames PATH.augnew to PATH. Creation of a symlink at PATH.augnew will cause the new file contents to be written to the symlink target and then the symlink is moved to PATH. This enables an attacker to get to the file contents in the symlink target and also subvert PATH. The code's at src/transform.c in transform_save [4]. [1] <a href="http://augeas.net/page/Loading_specific_files">http://augeas.net/page/Loading_specific_files</a> [2] <a href="https://github.com/raphink/augeas-sandbox/blob/master/augload">https://github.com/raphink/augeas-sandbox/blob/master/augload</a> [3] <a href="http://augeas.net/docs/api.html#saving-the-tree">http://augeas.net/docs/api.html#saving-the-tree</a> [4] <a href="https://git.fedorahosted.org/cgit/augeas.git/tree/src/transform.c?id=547442f#n885">https://git.fedorahosted.org/cgit/augeas.git/tree/src/transform.c?id=547442f#n885</a>

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
redhat/augeas<1.0.0
1.0.0
Augeas Augeas<=0.10.0
Augeas Augeas=0.0.1
Augeas Augeas=0.0.2
Augeas Augeas=0.0.3
Augeas Augeas=0.0.4
Augeas Augeas=0.0.5
Augeas Augeas=0.0.6
Augeas Augeas=0.0.7
Augeas Augeas=0.0.8
Augeas Augeas=0.1.0
Augeas Augeas=0.1.1
Augeas Augeas=0.2.0
Augeas Augeas=0.2.1
Augeas Augeas=0.2.2
Augeas Augeas=0.3.0
Augeas Augeas=0.3.1
Augeas Augeas=0.3.2
Augeas Augeas=0.3.3
Augeas Augeas=0.3.4
Augeas Augeas=0.3.5
Augeas Augeas=0.3.6
Augeas Augeas=0.4.0
Augeas Augeas=0.4.1
Augeas Augeas=0.4.2
Augeas Augeas=0.5.0
Augeas Augeas=0.5.1
Augeas Augeas=0.5.2
Augeas Augeas=0.5.3
Augeas Augeas=0.6.0
Augeas Augeas=0.7.0
Augeas Augeas=0.7.1
Augeas Augeas=0.7.2
Augeas Augeas=0.7.3
Augeas Augeas=0.7.4
Augeas Augeas=0.8.0
Augeas Augeas=0.8.1
Augeas Augeas=0.9.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203