augeas-1.0.0-5.AXS4.1

A library for programmatically editing configuration files. Augeas parses configuration files into a tree structure, which it exposes through its public API. Changes made through the API are written back to the initially read files.

The transformation works very hard to preserve comments and formatting details. It is controlled by ``lens'' definitions that describe the file format and the transformation into a tree.

Security issues fixed with this release:

• CVE-2012-0786
The transform_save function in transform.c in Augeas before 1.0.0 allows local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on a .augnew file.

• CVE-2012-0787
The clone_file function in transfer.c in Augeas before 1.0.0, when copy_if_rename_fails is set and EXDEV or EBUSY is returned by the rename function, allows local users to overwrite arbitrary files and obtain sensitive information via a bind mount on the (1) .augsave or (2) destination file when using the backup save option, or (3) .augnew file when using the newfile save option.

• CVE-2013-6412
The transform_save function in transform.c in Augeas 1.0.0 through 1.1.0 does not properly calculate the permission values when the umask contains a "7," which causes world-writable permissions to be used for new files and allows local users to modify the files via unspecified vectors.

Fixed bugs:

• Previously, Augeas could not parse files containing single quotes with the XML lens. This has been fixed: single quotes are now handled like valid characters.

• Previously, Augeas could not set up the "require_ssl_reuse" option in the vsftpd.conf file. This has been fixed.

• The XML lens now supports non-Unix line endings (CRLF line endings).

• Augeas can now parse modprobe.conf files containing spaces around "=" characters in option directives.