src/internal.c | 15 12 + 3 - 0 !
src/internal.h | 3 3 + 0 - 0 !
src/transform.c | 141 88 + 53 - 0 !
tests/Makefile.am | 3 2 + 1 - 0 !
tests/test-put-symlink-augnew.sh | 52 52 + 0 - 0 !
tests/test-put-symlink-augsave.sh | 52 52 + 0 - 0 !
tests/test-put-symlink-augtemp.sh | 52 52 + 0 - 0 !
tests/test-put-symlink.sh | 5 5 + 0 - 0 !
tests/test-save-empty.sh | 5 3 + 2 - 0 !
9 files changed, 269 insertions(+), 59 deletions(-)

 [patch] prevent symlink attacks via .augnew during saving

Instead of saving into a predictable PATH.augnew file, save into a securely
created PATH.augnew.XXXXXX

* src/transform.c (transform_save):
    write changes to a temporary file in the same directory as the destination
    (either the file's canonical path or the path of .augnew), before renaming

* src/transform.c (transfer_file_attrs):
    use fchown, fchmod etc. on the same file handles to ensure consistent
    permission changes

* bootstrap: add mkstemp gnulib module
* tests/
    test-put-symlink-augnew.sh: test symlink attack when writing .augnew
    test-put-symlink-augsave.sh: test symlink attack when writing .augsave
    test-put-symlink-augtemp.sh: test symlink attack via temp .augnew
    test-put-symlink.sh: also test file modification

Fixes BZ 772257

src/internal.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] * src/transform.c (xread_file): catch failed fopen, e.g.
 EACCES

src/transform.c | 10 10 + 0 - 0 !
tests/test-preserve.sh | 15 14 + 1 - 0 !
2 files changed, 24 insertions(+), 1 deletion(-)

 [patch] fix regression in permissions of created files

Commit 16387744 changed temporary file creation to use mkstemp, resulting in
new files being created with 0600 permissions.  For brand new files created
through Augeas, their permissions stayed at 0600 rather than being set by the
umask as before.

  * src/transform.c (transform_save): chmod after creating new files to
    permissions implied by the umask

src/transform.c | 40 34 + 6 - 0 !
tests/Makefile.am | 5 3 + 2 - 0 !
tests/test-put-mount-augnew.sh | 69 69 + 0 - 0 !
tests/test-put-mount-augsave.sh | 62 62 + 0 - 0 !
tests/test-put-mount.sh | 55 55 + 0 - 0 !
5 files changed, 223 insertions(+), 8 deletions(-)

 [patch] prevent cross-mountpoint attacks via .augsave during saving

Previously Augeas would open PATH.augsave for writing if a rename from PATH to
PATH.augsave failed, then write the file contents in.  Now if the rename fails,
it tries to unlink PATH.augsave and open it with O_EXCL first.

Mountpoints remain permitted at either PATH or PATH.augnew provided
/augeas/save/copy_if_rename_fails exists.

* src/transform.c (clone_file):
    add argument to perform unlink and O_EXCL on destination filename after a
    rename failure to prevent PATH.augsave being a mountpoint
* src/transform.c (transform_save, remove_file):
    always try to unlink PATH.augsave if rename fails, only allowing PATH to be
    a mountpoint; allow PATH or PATH.augnew to be mountpoints
* tests/
    test-put-mount: check PATH being a mountpoint is supported
    test-put-mount-augnew.sh: check PATH.augnew being a mountpoint is supported
    test-put-mount-augsave.sh: check unlink error when PATH.augsave is a mount

Fixes BZ 772261

src/transform.c | 2 1 + 1 - 0 !
tests/test-save.c | 48 48 + 0 - 0 !
2 files changed, 49 insertions(+), 1 deletion(-)

 [patch] fix umask handling when creating new files

  * src/transform.c (transform_save): faulty umask arithmetic would cause
    overly-open file modes when the umask contains "7", as the umask was
    incorrectly subtracted from the target file mode

Fixes CVE-2013-6412, RHBZ#1034261

tests/test-save.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

---