[v2.5] augeas: CVE-2012-0786 CVE-2012-0787 CVE-2013-6412
Multiple flaws were found in the way Augeas handled configuration files when updating them. An application using Augeas to update configuration files in a directory that is writable to by a different user (for example, an application running as root that is updating files in a directory owned by a non-root service user) could have been tricked into overwriting arbitrary files or leaking information via a symbolic link or mount point attack (CVE-2012-0786, CVE-2012-0787).
A flaw was found in the way Augeas handled certain umask settings when creating new configuration files. This flaw could result in configuration files being created as world writable, allowing unprivileged local users to modify their content (CVE-2013-6412).
(from redmine: issue id 2668, created on 2014-02-04, closed on 2014-03-03)
- parent #2666 (closed)
- Revision 925aedc7 by Natanael Copa on 2014-03-03T14:32:46Z:
main/augeas: security fix for CVE-2012-0786 and CVE-2012-0787 fixes #2668