Bug 12983

Summary: udisks, udisks2 new security issue CVE-2014-0004
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, marc.lattemann, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/590187/
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory
Source RPM: udisks, udisks2 CVE:
Status comment:

Description David Walser 2014-03-10 15:58:37 CET 
Upstream has released new versions of udisks, 1.0.5 and 2.1.3:
http://lists.freedesktop.org/archives/devkit-devel/2014-March/001568.html

They fix a serious security issue that allows local users to execute arbitrary code as root.

Patches are available and a CVE has been assigned:
http://openwall.com/lists/oss-security/2014/03/10/1

Updated packages uploaded for Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated udisks and udisks2 packages fix security vulnerabilities:

A flaw was found in the way udisks and udisks2 handled long path names. A
malicious, local user could use this flaw to create a specially-crafted
directory structure that could lead to arbitrary code execution with the
privileges of the udisks daemon (root) (CVE-2014-0004).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0004
https://bugzilla.redhat.com/show_bug.cgi?id=1049703
========================

Updated packages in core/updates_testing:
========================
udisks-1.0.4-10.1.mga3
udisks-devel-1.0.4-10.1.mga3
udisks2-2.0.1-2.1.mga3
libudisks2_0-2.0.1-2.1.mga3
libudisks-gir2.0-2.0.1-2.1.mga3
libudisks2-devel-2.0.1-2.1.mga3
udisks-1.0.4-11.1.mga4
udisks-devel-1.0.4-11.1.mga4
udisks2-2.1.1-2.1.mga4
libudisks2_0-2.1.1-2.1.mga4
libudisks-gir2.0-2.1.1-2.1.mga4
libudisks2-devel-2.1.1-2.1.mga4

from SRPMS:
udisks-1.0.4-10.1.mga3.src.rpm
udisks2-2.0.1-2.1.mga3.src.rpm
udisks-1.0.4-11.1.mga4.src.rpm
udisks2-2.1.1-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-10 15:58:44 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-03-10 16:42:43 CET 
Ubuntu has issued an advisory for this today (March 10):
http://www.ubuntu.com/usn/usn-2142-1/

They noted that for them it should just be a DoS issue rather than allowing arbitrary code execution, because of the compiler flags they use.  For other issues where this has been the case in the past, it has been true for us as well.  That would reduce the severity of this.
David Walser 2014-03-10 18:01:39 CET

URL: (none) => http://lwn.net/Vulnerabilities/590187/

Comment 2 Marc Lattemann 2014-03-10 22:58:02 CET 
don't know how to test this...

Installed all packages without any error and a USB stick will be still mounted in MGA4 32bit XFCE (VBox) to /run/media/marc/Stick/

What else could be done for testing? Please let me know,

CC: (none) => marc.lattemann

Comment 3 Marc Lattemann 2014-03-14 23:51:50 CET 
Installed all updated packages in MGA4 64bit and USB-stick is mounted automatically. Until now other test procedures known I will mark as tested successfully.


However logfile shows when restart rtkit-daemon.service

Mar 14 23:43:32 localhost systemd[1]: [/usr/lib/systemd/system/rtkit-daemon.service:32] Unknown lvalue 'ControlGroup' in section 'Service'

but this was also present in previous version, so no regression...

Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK MGA4-64-OK

Comment 4 Marc Lattemann 2014-03-15 00:08:17 CET 
installed all packages without any error for mga3 32bit and 64bit. Also the error mentioned in Comment #3 is not present in both mga3

If not objections regarding the test procedure this update can be validated after advisory from Comment #0 is uploaded, to get security update pushed.

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK

Comment 5 Dave Hodgins 2014-03-15 01:53:42 CET 
Advisory added to svn. Validating the update.

Someone from the sysadmin team please push 12983.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Thomas Backlund 2014-03-15 17:37:17 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0129.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED