Bug 715656 - VUL-0: jakarta-commons-daemon: allows remote attackers to bypass read permissions for
VUL-0: jakarta-commons-daemon: allows remote attackers to bypass read permiss...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.4:43227
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-02 08:50 UTC by Thomas Biege
Modified: 2011-10-04 09:07 UTC (History)
1 user (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2011-09-02 08:50:13 UTC
Hi.
There is a security bug in package 'tomcat5'.

This bug is public.

There is no coordinated release date (CRD) set.

CVE number: CVE-2011-2729
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729
CVSS v2 Base Score: 5.8 (important) (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Permissions, Privileges, and Access Control (CWE-264)


Original posting:


 files
CVE-ID: CVE-2011-2729
URL: 

native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.
    
    
Reference: CONFIRM: https://issues.apache.org/jira/browse/DAEMON-214
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=730400
Reference: XF: http://xforce.iss.net/xforce/xfdb/69161
Reference: BID: http://www.securityfocus.com/bid/49143
Reference: CONFIRM: http://tomcat.apache.org/security-7.html
Reference: CONFIRM: http://tomcat.apache.org/security-6.html
Reference: CONFIRM: http://tomcat.apache.org/security-5.html
Reference: CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1153824
Reference: CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1153379
Reference: CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1152701
Reference: SECTRACK: http://securitytracker.com/id?1025925
Reference: CONFIRM: http://people.apache.org/~markt/patches/2011-08-12-cve2011-2729-tc5.patch
Reference: MLIST: http://mail-archives.apache.org/mod_mbox/tomcat-announce/201108.mbox/%3C4E45221D.1020306@apache.org%3E
Reference: MLIST: http://mail-archives.apache.org/mod_mbox/commons-dev/201108.mbox/%3C4E451B2B.9090108@apache.org%3E
Comment 2 Swamp Workflow Management 2011-09-05 14:38:53 UTC
The SWAMPID for this issue is 43033.
This issue was rated as important.
Please submit fixed packages until 2011-09-12.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 Michal Vyskocil 2011-09-06 13:44:53 UTC
jakarta-commons-daemon 1.0.1 used in all SLESes and openSUSE 11.3 is not vulnerable, as this version do not use CAP_DAC_OVERRIDE removed by patch [1]. This version try to setup the

CAP_NET_BIND_SERVICE and optionally CAP_SETGID and CAP_SETGID - see [2] line 108 for definitions and linuxset_user_group on line 142 for usage.

Thus only 11.4 and Factory has to be fixed ...

[1] http://svn.apache.org/viewvc/commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c?r1=1152701&r2=1152700&pathrev=1152701
[2] http://svn.apache.org/viewvc/commons/proper/daemon/tags/daemon-1_0_1/src/native/unix/native/jsvc-unix.c?revision=560660&view=markup
Comment 7 Michal Vyskocil 2011-09-06 14:01:35 UTC
Sent 1.0.7 to Factory by request 81091
Fix 1.0.4 in 11.4 by request 81092
Comment 8 Bernhard Wiedemann 2011-09-06 15:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (715656) was mentioned in
https://build.opensuse.org/request/show/81091 Factory / jakarta-commons-daemon
Comment 9 Swamp Workflow Management 2011-09-16 13:17:40 UTC
The SWAMPID for this issue is 43226.
This issue was rated as important.
Please submit fixed packages until 2011-09-23.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 10 Swamp Workflow Management 2011-09-23 07:52:45 UTC
Update released for: jakarta-commons-daemon, jakarta-commons-daemon-debuginfo, jakarta-commons-daemon-debugsource, jakarta-commons-daemon-java, jakarta-commons-daemon-javadoc
Products:
openSUSE 11.4 (debug, i586, x86_64)
Comment 11 Matthias Weckbecker 2011-10-04 09:07:11 UTC
updates released