MidnightBSD

Advisories for augeas

CVE-2012-6607 LOW

The transform_save function in transform.c in Augeas before 1.0.0 allows local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on a .augsave file in a backup save action, a different vector than CVE-2012-0786.

CVSS 2.0

Severity: LOW

Problem Type: CWE-22,

Products Affected

Vendor Product Version
augeas augeas 0.5.3
augeas augeas 0.6.0
augeas augeas 0.3.6
augeas augeas 0.5.2
augeas augeas 0.4.1
augeas augeas 0.8.0
augeas augeas 0.7.2
augeas augeas 0.4.2
augeas augeas 0.0.5
augeas augeas 0.2.1
augeas augeas 0.1.1
augeas augeas 0.2.0
augeas augeas 0.2.2
augeas augeas 0.0.8
augeas augeas 0.7.4
augeas augeas 0.3.2
augeas augeas 0.3.5
augeas augeas 0.0.2
augeas augeas 0.3.4
augeas augeas 0.7.3
augeas augeas 0.3.0
augeas augeas 0.8.1
augeas augeas 0.4.0
augeas augeas 0.5.0
augeas augeas 0.5.1
augeas augeas 0.3.1
augeas augeas 0.0.6
augeas augeas 0.7.1
augeas augeas 0.9.0
augeas augeas 0.0.4
augeas augeas 0.3.3
augeas augeas 0.0.7
augeas augeas 0.0.1
augeas augeas 0.0.3
augeas augeas 0.7.0
augeas augeas *
augeas augeas 0.1.0
CVE-2013-6412 MEDIUM

The transform_save function in transform.c in Augeas 1.0.0 through 1.1.0 does not properly calculate the permission values when the umask contains a "7," which causes world-writable permissions to be used for new files and allows local users to modify the files via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
augeas augeas 1.0.0
augeas augeas 1.1.0
CVE-2017-7555 HIGH

Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-119,

Products Affected

Vendor Product Version
augeas augeas *