Bug 16910

Summary: Security issue with Isodumper
Product: Mageia Reporter: papoteur <yvesbrungard>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/660421/
Whiteboard: MGA5-64-OK advisory
Source RPM: isodumper-0.42 CVE:
Status comment:

Description papoteur 2015-10-06 08:01:38 CEST 
Description of problem:
https://github.com/linuxmint/mintstick/issues/42
https://bugs.launchpad.net/linuxmint/+bug/1460775
File :
/usr/lib/minstick/raw_format.py

Example Demo Exploid :
=====================
If you run mintstick and you type in this text as a VOLUME LABEL :

$(ls>x.txt)

... a file x.txt will be created in the roots home folder as a proof of concept.

Reason is this the python script "raw_format.py" , line 53-59 :

        # Format partition according to the fstype specified
        if fstype == "fat32":
            os.system("mkdosfs -F 32 -n \"%s\" %s >/dev/null 2>&1" % (volume_label, partition.path))
        if fstype == "ntfs":
            os.system("mkntfs -f -L \"%s\" %s >/dev/null 2>&1" % (volume_label, partition.path))
        elif fstype == "ext4":
            os.system("mkfs.ext4 -E root_owner=%s:%s -L \"%s\" %s >/dev/null 2>&1" % (uid, gid, volume_label, partition.path))

Here the volume label text "$(ls>x.txt)" gets into %s and will be injected and executed as a shell command.

Version-Release number of selected component (if applicable):
0.42



Reproducible: 

Steps to Reproduce:
papoteur 2015-10-06 08:02:41 CEST

Assignee: bugsquad => geiger.david68210

Comment 1 papoteur 2015-10-06 08:05:32 CEST 
A correction is pushed on git.
Papoteur
Comment 2 Mageia Robot 2015-10-06 09:39:21 CEST 
commit 55d4b990b22a46273430910fe40bb2f7f381ef8f
Author: SARL ENR 68 <david@...>
Date:   Tue Oct 6 09:39:04 2015 +0200

    New release 0.43
    
    - fix for bug mga#16910
---
 Commit Link:
   http://gitweb.mageia.org/software/isodumper/commit/?id=55d4b990b22a46273430910fe40bb2f7f381ef8f
Rémi Verschelde 2015-10-06 10:54:10 CEST

Version: 5 => Cauldron
Whiteboard: (none) => MGA5TOO

Comment 3 Rémi Verschelde 2015-10-06 10:55:55 CEST 
(In reply to Mageia Robot from comment #2)
> commit 55d4b990b22a46273430910fe40bb2f7f381ef8f
> Author: SARL ENR 68 <david@...>
> Date:   Tue Oct 6 09:39:04 2015 +0200
> 
>     New release 0.43
>     
>     - fix for bug mga#16910
> ---
>  Commit Link:
>   
> http://gitweb.mageia.org/software/isodumper/commit/
> ?id=55d4b990b22a46273430910fe40bb2f7f381ef8f

Just for the reference, it would have been better to mention mga#16910 in the actual commit that fixes the issue (http://gitweb.mageia.org/software/isodumper/commit/?id=12e34b26a99ada6c22fcee5abaac5a90fb2b8cf3) instead of the commit that creates the 0.43 version.
Comment 4 Rémi Verschelde 2015-10-06 10:56:26 CEST 
Fixed package was pushed to Cauldron already.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 5 papoteur 2015-10-06 11:23:45 CEST 
(In reply to Rémi Verschelde from comment #3)
> (In reply to Mageia Robot from comment #2)
> > commit 55d4b990b22a46273430910fe40bb2f7f381ef8f
> > Author: SARL ENR 68 <david@...>
> > Date:   Tue Oct 6 09:39:04 2015 +0200
> > 
> >     New release 0.43
> >     
> >     - fix for bug mga#16910
> > ---
> >  Commit Link:
> >   
> > http://gitweb.mageia.org/software/isodumper/commit/
> > ?id=55d4b990b22a46273430910fe40bb2f7f381ef8f
> 
> Just for the reference, it would have been better to mention mga#16910 in
> the actual commit that fixes the issue
> (http://gitweb.mageia.org/software/isodumper/commit/
> ?id=12e34b26a99ada6c22fcee5abaac5a90fb2b8cf3) instead of the commit that
> creates the 0.43 version.

It's because I created the bug report after commiting the corrections.
Why would have been better? Is there an effect to mention mga#16910 in commit message?
Comment 6 Rémi Verschelde 2015-10-06 11:30:49 CEST 
(In reply to papoteur from comment #5)
> 
> It's because I created the bug report after commiting the corrections.
> Why would have been better? Is there an effect to mention mga#16910 in
> commit message?

Ah ok, then I guess it's fine. The effect of mentioning the bug report in the commit message creates the automatic comment above, so generally speaking it's best to do it in the actual fix commit (so that someone reading the bug report gets a direct link to the patch).

But if the bug report has been created afterwards, you couldn't mention it indeed :)
Comment 7 David GEIGER 2015-10-06 11:31:52 CEST 

Advisory:
========================

The volume label text could be injected and executed as a shell command
in raw_format.py from isodumper.
Mintstick has been corrected in the same way.
https://github.com/linuxmint/mintstick/issues/42
https://bugs.launchpad.net/linuxmint/+bug/1460775

This update fixes this security issue.

========================

Packages in 5/core/updates_testing:
========================
isodumper-0.43-1.mga5.noarch.rpm

Source RPM: 
========================
isodumper-0.43-1.mga5.src.rpm


How to test this update request:
========================
- See initial comment for test procedure.
David GEIGER 2015-10-06 11:32:22 CEST

Assignee: geiger.david68210 => qa-bugs

Comment 8 Lewis Smith 2015-10-06 21:39:57 CEST 
MGA5 x64
About to try this, but puzzled by something: after installing ISOdumper 0.42:
 $ /usr/lib/mintstick/raw_format.py
 bash: /usr/lib/mintstick/raw_format.py: No such file or directory
[Note mintstick, not minstick].

The only way to write a device (= volume?) label with ISOdumper is
 Format the device/Label for the device.
I tried formatting Fat32 a USB stick with the given bad label "$(ls>x.txt)"; the device [USB stick, *not* partition] label remain unchanged; also that of the ISO image [partition/device eqivalent] it previously contained.

However, an empty file as indicated *was* created in /root :
# ls -l /root
-rw-r--r-- 1 root root    0 Hyd   6 21:07 X.TXT
Deleted this.

Updated to:
 isodumper-0.43-1.mga5
Re-ran it with the same USB stick, Format Fat32 with device label "$(ls>x.txt)". This time the duff [partition/device] label *was* written and recognised/displayed as such by the file manager. Again the USB stick label remained unchanged.
And there was *no* /root/X.TXT file created.

Update OK.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

Dave Hodgins 2015-10-09 02:42:26 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2015-10-09 20:48:57 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0393.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-10-12 20:34:04 CEST

URL: (none) => http://lwn.net/Vulnerabilities/660421/