Updated augeas package fixes security vulnerabilities
Publication date: 12 Feb 2014Modification date: 12 Feb 2014
Type: security
Affected Mageia releases : 3
CVE: CVE-2012-0786 , CVE-2012-0787 , CVE-2013-6412
Description
Multiple flaws were found in the way Augeas handled configuration files
when updating them. An application using Augeas to update configuration
files in a directory that is writable to by a different user (for example,
an application running as root that is updating files in a directory owned
by a non-root service user) could have been tricked into overwriting
arbitrary files or leaking information via a symbolic link or mount point
attack (CVE-2012-0786, CVE-2012-0787).
A flaw was found in the way Augeas handled certain umask settings when
creating new configuration files. This flaw could result in configuration
files being created as world writable, allowing unprivileged local users to
modify their content (CVE-2013-6412).
References
- https://bugs.mageia.org/show_bug.cgi?id=11721
- https://rhn.redhat.com/errata/RHSA-2013-1537.html
- https://rhn.redhat.com/errata/RHSA-2014-0044.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0786
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0787
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6412
SRPMS
3/core
- augeas-1.1.0-1.1.mga3