Bug#812456: davfs2: dies with stack smashing error; can't mount

2016-04-17 Thread Werner Baumann 
Moving from flag -fstack-protector to -fstack-protector-strong finally
forced this old bug to show up.

I fixed the bug (and some others) and released version 1.5.4.
Luciano Bello will update the Debian package soon.

Werner

Bug#812456: davfs2: dies with stack smashing error; can't mount

2016-04-02 Thread Werner Baumann 
Thanks for the additional information. It helped me to reproduce and
locate the bug.

I will release a new upstream version soon and then notify the Debian
maintainer.

Werner

Bug#812456: davfs2: dies with stack smashing error; can't mount

2016-02-26 Thread Werner Baumann 
This is a (very) late reply from upstream.
Sorry for the delay. I hoped somebody else would care because I had no
32-bit testing system.

Now I have upgraded an old Thinkpad from Jessie to Stretch installed
davfs2-1.5.2-1.2 from Sid and tested. Result:

Works as expected; no stack smashing error. I can't reproduce the
problem.

Could you please verify that the problem still exists, probably after
updating your system and checking for possible inconsistencies?

Werner

Bug#723034: davfs2: CVE-2013-4362: Unsecure use of system()

2013-09-25 Thread Werner Baumann 
There is a stupid error in patchfile davfs2-1.4.6-system.diff which was
submitted by me. Please don't use it.
Appended is the corrected patchfile davfs2-1.4.6-system-2.diff.

Wernerdiff -ur davfs2-1.4.6/ChangeLog davfs2-1.4.6.new/ChangeLog
--- davfs2-1.4.6/ChangeLog	2010-04-30 21:17:15.0 +0200
+++ davfs2-1.4.6.new/ChangeLog	2013-09-15 11:05:42.0 +0200
@@ -1,6 +1,11 @@
 ChangeLog for davfs2
 
 
+2013-09-08 Werner Baumann (werner.baum...@onlinehome.de)
+* kernel_interface.c, mount_davfs.c:
+  Don't create /dev/coda and /dev/fuse.
+  Remove insecure calls of system().
+
 2010-04-30 Werner Baumann (werner.baum...@onlinehome.de)
 * Released version 1.4.6
 
diff -ur davfs2-1.4.6/src/kernel_interface.c davfs2-1.4.6.new/src/kernel_interface.c
--- davfs2-1.4.6/src/kernel_interface.c	2010-02-16 20:29:54.0 +0100
+++ davfs2-1.4.6.new/src/kernel_interface.c	2013-09-25 20:24:05.0 +0200
@@ -168,27 +168,6 @@
 }
 
 if (*dev = 0) {
-system(/sbin/modprobe coda /dev/null);
-minor = 0;
-while (*dev = 0  minor  MAX_CODADEVS) {
-char *path;
-if (asprintf(path, %s/%s%i,
- DAV_DEV_DIR, CODA_DEV_NAME, minor)  0)
-abort();
-*dev = open(path, O_RDWR | O_NONBLOCK);
-if (*dev = 0) {
-if (mknod(path, S_IFCHR, makedev(CODA_MAJOR, minor)) == 0) {
-chown(path, 0, 0);
-chmod(path, S_IRUSR | S_IWUSR);
-*dev = open(path, O_RDWR | O_NONBLOCK);
-}
-}
-free(path);
-++minor;
-}
-}
-
-if (*dev = 0) {
 error(0, 0, _(no free coda device to mount));
 return -1;
 }
@@ -223,18 +202,6 @@
 abort();
 
 *dev = open(path, O_RDWR | O_NONBLOCK);
-if (*dev = 0) {
-system(/sbin/modprobe fuse /dev/null);
-*dev = open(path, O_RDWR | O_NONBLOCK);
-}
-if (*dev = 0) {
-if (mknod(path, S_IFCHR, makedev(FUSE_MAJOR, FUSE_MINOR)) == 0) {
-chown(path, 0, 0);
-chmod(path, S_IRUSR | S_IWUSR);
-*dev = open(path, O_RDWR | O_NONBLOCK);
-}
-}
-
 free(path);
 if (*dev = 0) {
 error(0, 0, _(can't open fuse device));
diff -ur davfs2-1.4.6/src/mount_davfs.c davfs2-1.4.6.new/src/mount_davfs.c
--- davfs2-1.4.6/src/mount_davfs.c	2010-01-21 19:50:15.0 +0100
+++ davfs2-1.4.6.new/src/mount_davfs.c	2013-09-15 11:13:18.0 +0200
@@ -170,6 +170,9 @@
 static int
 arg_to_int(const char *arg, int base, const char *opt);
 
+static void
+cp_file(const char *src, const char *dest);
+
 static int
 debug_opts(const char *s);
 
@@ -533,10 +536,7 @@
 char *file_name = ne_concat(path, /, DAV_CONFIG, NULL);
 if (access(file_name, F_OK) != 0) {
 char *template = ne_concat(DAV_DATA_DIR, /, DAV_CONFIG, NULL);
-char *command = ne_concat(cp , template,  , file_name,
-  NULL);
-system(command);
-free(command);
+cp_file(template, file_name);
 free(template);
 }
 free(file_name);
@@ -545,11 +545,7 @@
 if (access(file_name, F_OK) != 0) {
 char *template = ne_concat(DAV_DATA_DIR, /, DAV_SECRETS,
NULL);
-char *command = ne_concat(cp , template,  , file_name,
-  NULL);
-if (system(command) == 0)
-chmod(file_name, S_IRUSR | S_IWUSR);
-free(command);
+cp_file(template, file_name);
 free(template);
 }
 free(file_name);
@@ -1333,6 +1329,34 @@
 }
 
 
+/* Creates a copy of src with name dest. */
+static void
+cp_file(const char *src, const char *dest)
+{
+FILE *in = fopen(src, r);
+if (!in)
+error(EXIT_FAILURE, errno, _(can't open file %s), src);
+
+FILE *out = fopen(dest, w);
+if (!out)
+error(EXIT_FAILURE, errno, _(can't open file %s), dest);
+
+size_t n = 0;
+char *line = NULL;
+int length = getline(line, n, in);
+while (length  0) {
+if (fputs(line, out) == EOF) 
+error(EXIT_FAILURE, errno, _(error writing to file %s), dest);
+length = getline(line, n, in);
+}
+
+if (line)
+free(line);
+fclose(out);
+fclose(in);
+}
+
+
 /* Converts a debug option string s into numerical value. If s is not a
valid debug option, it returns 0. */
 static int

Bug#723034: Unsecure use of system()

2013-09-15 Thread Werner Baumann 
Package: davfs2
Version: 1.4.6-1.1
Severity: critical
Tags: patch, security, upstream

davfs2 calls function system several times. Because davfs2 is setuid
root in many cases this will allow for privilege escalation.

Appended are patches for version 1.4.6 and 1.4.7 that will fix this bug.

Note: as a consequence davfs2 will no longer try to insert required
kernel modules or create device special files /dev/fuse or /dev/codaX.
So the user has to make sure that one of these devices exists before
mounting a davfs2 file system. As far as I can see /dev/fuse is created
by default on Debian systems. davfs2 uses /dev/fuse by default (and
not /dev/codaX). So this bug fix should not cause any problem on Debian
systems.

Werner (upstream maintainer)
diff -ur davfs2-1.4.6/ChangeLog davfs2-1.4.6.new/ChangeLog
--- davfs2-1.4.6/ChangeLog	2010-04-30 21:17:15.0 +0200
+++ davfs2-1.4.6.new/ChangeLog	2013-09-15 11:05:42.0 +0200
@@ -1,6 +1,11 @@
 ChangeLog for davfs2
 
 
+2013-09-08 Werner Baumann (werner.baum...@onlinehome.de)
+* kernel_interface.c, mount_davfs.c:
+  Don't create /dev/coda and /dev/fuse.
+  Remove insecure calls of system().
+
 2010-04-30 Werner Baumann (werner.baum...@onlinehome.de)
 * Released version 1.4.6
 
Nur in davfs2-1.4.6.new: ChangeLog~.
diff -ur davfs2-1.4.6/src/kernel_interface.c davfs2-1.4.6.new/src/kernel_interface.c
--- davfs2-1.4.6/src/kernel_interface.c	2010-02-16 20:29:54.0 +0100
+++ davfs2-1.4.6.new/src/kernel_interface.c	2013-09-15 11:07:07.0 +0200
@@ -168,27 +168,6 @@
 }
 
 if (*dev = 0) {
-system(/sbin/modprobe coda /dev/null);
-minor = 0;
-while (*dev = 0  minor  MAX_CODADEVS) {
-char *path;
-if (asprintf(path, %s/%s%i,
- DAV_DEV_DIR, CODA_DEV_NAME, minor)  0)
-abort();
-*dev = open(path, O_RDWR | O_NONBLOCK);
-if (*dev = 0) {
-if (mknod(path, S_IFCHR, makedev(CODA_MAJOR, minor)) == 0) {
-chown(path, 0, 0);
-chmod(path, S_IRUSR | S_IWUSR);
-*dev = open(path, O_RDWR | O_NONBLOCK);
-}
-}
-free(path);
-++minor;
-}
-}
-
-if (*dev = 0) {
 error(0, 0, _(no free coda device to mount));
 return -1;
 }
@@ -223,24 +202,6 @@
 abort();
 
 *dev = open(path, O_RDWR | O_NONBLOCK);
-if (*dev = 0) {
-system(/sbin/modprobe fuse /dev/null);
-*dev = open(path, O_RDWR | O_NONBLOCK);
-}
-if (*dev = 0) {
-if (mknod(path, S_IFCHR, makedev(FUSE_MAJOR, FUSE_MINOR)) == 0) {
-chown(path, 0, 0);
-chmod(path, S_IRUSR | S_IWUSR);
-*dev = open(path, O_RDWR | O_NONBLOCK);
-}
-}
-
-free(path);
-if (*dev = 0) {
-error(0, 0, _(can't open fuse device));
-return -1;
-}
-
 if (*buf_size  (FUSE_MIN_READ_BUFFER + 4096)) {
 *buf_size = FUSE_MIN_READ_BUFFER + 4096;
 }
Nur in davfs2-1.4.6.new/src: kernel_interface.c~.
diff -ur davfs2-1.4.6/src/mount_davfs.c davfs2-1.4.6.new/src/mount_davfs.c
--- davfs2-1.4.6/src/mount_davfs.c	2010-01-21 19:50:15.0 +0100
+++ davfs2-1.4.6.new/src/mount_davfs.c	2013-09-15 11:13:18.0 +0200
@@ -170,6 +170,9 @@
 static int
 arg_to_int(const char *arg, int base, const char *opt);
 
+static void
+cp_file(const char *src, const char *dest);
+
 static int
 debug_opts(const char *s);
 
@@ -533,10 +536,7 @@
 char *file_name = ne_concat(path, /, DAV_CONFIG, NULL);
 if (access(file_name, F_OK) != 0) {
 char *template = ne_concat(DAV_DATA_DIR, /, DAV_CONFIG, NULL);
-char *command = ne_concat(cp , template,  , file_name,
-  NULL);
-system(command);
-free(command);
+cp_file(template, file_name);
 free(template);
 }
 free(file_name);
@@ -545,11 +545,7 @@
 if (access(file_name, F_OK) != 0) {
 char *template = ne_concat(DAV_DATA_DIR, /, DAV_SECRETS,
NULL);
-char *command = ne_concat(cp , template,  , file_name,
-  NULL);
-if (system(command) == 0)
-chmod(file_name, S_IRUSR | S_IWUSR);
-free(command);
+cp_file(template, file_name);
 free(template);
 }
 free(file_name);
@@ -1333,6 +1329,34 @@
 }
 
 
+/* Creates a copy of src with name dest. */
+static void
+cp_file(const char *src, const char *dest)
+{
+FILE *in = fopen(src, r);
+if (!in)
+error(EXIT_FAILURE, errno, _(can't open file %s), src);
+
+FILE *out = fopen(dest, w);
+if (!out)
+error(EXIT_FAILURE, errno

Bug#422157: davfs2: file updates losses

2007-05-04 Thread Werner Baumann 

Hello Loic,

I have tested.
My system: Etch, some Athlon board
   davfs2 1.1.2-3

What I have done:

1. Mount the the resource
   Create files testwb.html and testwb.xml (using gedit)
   unmount the resource

2. Test with cadaver:
   The files are on the server and are readable

3. Delete the cache (just to be sure)
   mount again
   edit both files using vim
   unmount

4. Test with cadaver:
   the files on the server are changed, o.k.

5. mount again
   delete files
   test with cadaver: they are no longer on the server.

Date of the test: approx. 2007-05-04 20:50 +2:00
You may find the entries in the access.log

Propable problem:
Maybe firefox gets confused by index.html and index.xml and only saves 
the xml-version?


Please try again, using editors like gedit, vi, ..., that do *not* treat 
html and xml in any special way. If that succeeds try to find out, what 
firefox is really doing.


If you get the same problem with e.g. vi:
- Make sure, there is no mount.davfs process running when you shutdown 
your system or the network connection.


Please tell me the results of your tests.

Cheers
Werner
(upstream developer)


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#422157: davfs2: file updates losses

2007-05-04 Thread Werner Baumann 

P.S.:

The real propable reason:

index.html is just a lot of java script (one of that famous web 2, java 
script php applications). These java script programs may do almost 
anything. When you edit something they usually try to to upload it using 
HTTP POST.


What they will not do (and should not be allowed to do) is saving files 
on the local file system.


If you open the file using your browser (and not some html editor), the 
browser will not write to your davfs2 file system.


Cheers
Werner




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#310757: davfs2: doesn't enforce permissions

2005-06-04 Thread Werner Baumann 

Hello,

I have done a quick and brutal fix to this. Patch file is attached.

The fix:
- terminate, if run setuid. So only root can mount. Reason: davfs2 does 
not enforce mount control by fstab. So if run setuid, any user could 
mount with the uid of any other user.
- set uid and gid according to the values given as option. Set file mode 
600 and directory mode 700. Only root and the user given as option may 
use the file system.
- do not allow to change uid, gid and mode of any part of the mounted 
file system.
- for every request (coda upcall) the requesting uid is checked against 
the uid of the file system.


Rationale:
Checking is more restrictive than necessary. But this way it could be 
done with little effort. I also think that a more sophisticated checking 
of permissions should be done together with the redisign of other parts 
of davfs2.


Greetings
Werner
diff -Naur davfs2-0.2.3.orig/ChangeLog davfs2-0.2.3/ChangeLog
--- davfs2-0.2.3.orig/ChangeLog 2005-06-03 21:03:13.0 +0200
+++ davfs2-0.2.3/ChangeLog  2005-06-04 13:53:20.0 +0200
@@ -1,5 +1,14 @@
 ChangeLog for Davfs2
 
+2005-06-03 Werner Baumann
+security fix (quick and brutal) concerning file access:
+davfsd.c, util.c, util.h, webdav.c:
+* set filemode to 0600 and dirmode to 0700
+* don't allow change of uid, gid or mode
+* check every coda upcoll for permissions:
+  access is only allowed from owner and root
+* terminate if run setuid
+
 2004-11-01 Robert Spier
* Seems like a good time for 0.2.3
* Changes in the past 11 months include...
diff -Naur davfs2-0.2.3.orig/README davfs2-0.2.3/README
--- davfs2-0.2.3.orig/README2005-06-03 21:03:13.0 +0200
+++ davfs2-0.2.3/README 2005-06-04 13:51:52.0 +0200
@@ -53,7 +53,14 @@
- Use umount for unmount
- example : umount /dav
 
-4. Debugging
+4. User mount
+   - For security reasons only root may mount. mount.davfs must not be run 
setuid.
+   
+5. File permissions:
+   - Permissions are set to 600 (700 for directories).
+ It is not possible to change uid, gid or mode.
+
+6. Debugging
- mount.davfs will not run as a daemon mode.
- configure with --with-debug option
- Coda debug log goes out stdout
@@ -61,9 +68,9 @@
- To save log :  ./mount.davfs http://127.0.0.1/repos/ /dav  coda.log 
2webdav.log
- To kill all running mount.davfs, do 'killall mount.davfs'
 
-5. For more information : http://dav.sf.net
+7. For more information : http://dav.sf.net
 
-6.  Participation
+8.  Participation
   DAVFS is an Open Source project, and we welcome your participation.
   Please join developer mailing list [EMAIL PROTECTED]
   For cvs commit info, join [EMAIL PROTECTED]
diff -Naur davfs2-0.2.3.orig/src/davfsd.c davfs2-0.2.3/src/davfsd.c
--- davfs2-0.2.3.orig/src/davfsd.c  2005-06-03 21:03:13.0 +0200
+++ davfs2-0.2.3/src/davfsd.c   2005-06-04 13:42:46.0 +0200
@@ -68,82 +68,20 @@
 
 static int count = 0;
 
-/* default stat */
-struct stat generic_stat = { 0 /* dev */ , 0 /* pad */ ,
-0 /* inode */ , S_IFREG | 0666 /* mode */ ,
-0, 0, /* uid, gid */ 0 /* device */ , 0 /* pad */ ,
-0 /* size */ , 1024 /* blksize */
-}; /* rest are 0 */
-
-/* Mkdir and Create need to return attr to kernel */
-static void set_mkdir_attr(struct coda_vattr *attr) {
-struct stat stat;
-
-/* Get default mode */
-dav_get_fstat_default(stat);
-
-attr-va_type = C_VDIR;
- 
-/* FIXME: Mode?? */
-attr-va_mode = stat.st_mode | S_IXUSR;
-IFTOCDT(attr-va_mode);
-attr-va_mode |= CDT_DIR;
- 
-attr-va_uid = stat.st_uid;
-attr-va_gid = stat.st_gid;
+struct stat dav_file_stat;
+struct stat dav_dir_stat;
 
-attr-va_size = 512;
-attr-va_blocksize = 1;
-}
-
-
-/* Mkdir and Create need to return attr to kernel */
-static void set_create_attr(struct coda_vattr *attr) {
-#if 0
-struct stat stat;
-
-/* Get default mode */
-dav_get_fstat_default(stat);
-
-attr-va_mode = stat.st_mode;
-IFTOCDT(attr-va_mode);
-attr-va_mode |= CDT_REG;
-
-attr-va_uid = stat.st_uid;
-attr-va_gid = stat.st_gid;
-
-/* Zero for new creation */
-attr-va_size = 0;
-attr-va_blocksize = 0;
-
-#endif
-}
-
-/* change uid/gid to match credentials given by kernel */
-static void setfscred(union inputArgs *in_buf)
-{
-#if CODA_KERNEL_VERSION  2
-DBG1( (uid=%d), in_buf-ih.uid);
-
-setfsuid(in_buf-ih.uid);
-setfsgid(0);
+int dav_has_permission(struct coda_in_hdr *ih) {
+#ifdef NEW_CODA_STRUCTURES
+DBG1(id: %i\n, ih-uid);
+if ((ih-uid != dav_file_stat.st_uid)  (ih-uid != 0))
+return 0;
 #else
-DBG2( (uid=%d,euid=%d,, 
-in_buf-ih.cred.cr_uid, in_buf-ih.cred.cr_euid);
-DBG2( suid=%d,fsuid=%d) , 
-in_buf-ih.cred.cr_suid, in_buf-ih.cred.cr_fsuid);
- 
-setfsuid(in_buf