| Summary: | util-linux - mount folder existence information disclosure (CVE-2013-0157) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Oden Eriksson <oe> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | luigiwalser, sysadmin-bugs, thierry.vignaud, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/539441/ | ||
| Whiteboard: | has_procedure mga2-64-ok mga2-32-ok | ||
| Source RPM: | util-linux-2.21.1-1.mga2.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 9867 | ||
| Attachments: | the fix | ||
|
Description
Oden Eriksson
2013-01-06 21:28:26 CET
Created attachment 3325 [details]
the fix
The fix was taken from util-linux-2.22.2, but won't help since /bin/mount and /bin/umount both has the suid bit set...
David Walser
2013-01-31 22:53:12 CET
CC:
(none) =>
luigiwalser
David Walser
2013-01-31 22:53:52 CET
CC:
(none) =>
tmb
David Walser
2013-01-31 22:54:00 CET
CC:
(none) =>
thierry.vignaud
David Walser
2013-02-01 19:42:44 CET
Summary:
CVE-2013-0157: util-linux - mount folder existence information disclosure =>
util-linux - mount folder existence information disclosure (CVE-2013-0157) RedHat has issued an advisory for this today (February 21): https://rhn.redhat.com/errata/RHSA-2013-0517.html They reference 4 upstream commits: https://bugzilla.redhat.com/show_bug.cgi?id=892330 It looks like some of that is in our Cauldron package, and some is not, and none of it is in our Mageia 2 package. LWN reference: http://lwn.net/Vulnerabilities/539441/
David Walser
2013-02-21 23:06:11 CET
Source RPM:
(none) =>
util-linux-2.22.2-3.mga3.src.rpm
David Walser
2013-02-21 23:06:19 CET
Version:
2 =>
Cauldron Our Cauldron package is not vulnerable to this. Version:
Cauldron =>
2 Confirmed our Mageia 2 package is vulnerable. Patched package uploaded for Mageia 2. Patch added to Mageia 1 SVN. Advisory: ======================== Updated util-linux packages fix security vulnerability: An information disclosure flaw was found in the way the mount command reported errors. A local attacker could use this flaw to determine the existence of files and directories they do not have access to (CVE-2013-0157). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0157 https://rhn.redhat.com/errata/RHSA-2013-0517.html ======================== Updated packages in core/updates_testing: ======================== util-linux-2.21.1-1.1.mga2 libblkid1-2.21.1-1.1.mga2 libblkid-devel-2.21.1-1.1.mga2 libuuid1-2.21.1-1.1.mga2 libuuid-devel-2.21.1-1.1.mga2 uuidd-2.21.1-1.1.mga2 libmount1-2.21.1-1.1.mga2 libmount-devel-2.21.1-1.1.mga2 from util-linux-2.21.1-1.1.mga2.src.rpm Assignee:
bugsquad =>
qa-bugs
David Walser
2013-04-19 16:43:25 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/539441/ (In reply to Oden Eriksson from comment #6) > And, what about the suid bit as in Comment 1 ? The patch I used was different than yours. Do the PoC's from Comment 0 still work with the update or not? Testing mga2 64
Some issues with systemd, see below.
Before
------
$ ls -ld /root/.ssh
ls: cannot access /root/.ssh: Permission denied
$ ls -ld /root/.foo
ls: cannot access /root/.foo: Permission denied
$ mount --guess-fstype /root/.ssh/../../dev/sda1
ext3
$ mount --guess-fstype /root/.foo/../../dev/sda1
unknown
$ mount /root/.ssh/../../dev/cdrom
mount: can't find /root/.ssh/../../dev/cdrom in /etc/fstab or /etc/mtab
$ mount /root/.foo/../../dev/cdrom
mount: can't find /root/.foo/../../dev/cdrom in /etc/fstab or /etc/mtab
$ mount /root/.ssh/../../dev/sr0
mount: can't find /root/.ssh/../../dev/sr0 in /etc/fstab or /etc/mtab
Comparing the output of blkid as root, before and after. Also checking uuidd daemon and output of some commands from "urpmf util-linux | grep bin" such as dmesg, fdisk, logger, whereis
# service uuidd start
Starting uuidd (via systemctl): Job failed. See system journal and 'systemctl status' for details. [FAILED]
# systemctl status uuidd.service
uuidd.service - LSB: UUID daemon
Loaded: loaded (/etc/rc.d/init.d/uuidd)
Active: failed (Result: resources) since Thu, 25 Apr 2013 10:41:25 +0100; 11s ago
Process: 23971 ExecStart=/etc/rc.d/init.d/uuidd start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/uuidd.service
# tail /var/log/syslog
Apr 25 10:41:25 localhost uuidd[23971]: Starting uuidd: [ OK ]
Apr 25 10:41:25 localhost systemd[1]: PID file /var/lib/libuuid/uuidd.pid not readable (yet?) after start.
Apr 25 10:41:25 localhost systemd[1]: Unit uuidd.service entered failed state.
# ps aux | grep uuid
uuidd 24000 0.0 0.0 14376 96 ? Ss 10:41 0:00 /usr/sbin/uuidd
# ll /var/lib/libuuid/uuidd.pid
ls: cannot access /var/lib/libuuid/uuidd.pid: No such file or directory
So, it appears to actually be starting from the init file but systemd isn't finding the pid file and declares a failure. /var/lib/libuuid/ is empty. Directory ownership seems OK but the path for pid file is incorrect as the init file is set to /var/run/uuidd/uuidd.pid.
# ll -d /var/lib/libuuid
drwxrwsr-x 2 uuidd uuidd 4096 Apr 8 2012 /var/lib/libuuid/
From /etc/init.d/uuidd..
# pidfile: /var/lib/libuuid/uuidd.pid
daemon --user uuidd --pidfile /var/run/uuidd/uuidd.pid /usr/sbin/uuidd
Some tests..
# uuidd -r << returns a random uuid
bae72f3e-7699-4f97-b162-5f554c6993ef
# uuidd -t << returns a time based uuid
108bec70-ad8e-11e2-a5da-00218514ca4e
After
-----
All OK apart from uuidd, same issue.Whiteboard:
(none) =>
feedback has_procedure Forgot to post the results of PoC after.. $ mount --guess-fstype /root/.ssh/../../dev/sda1 mount: unrecognized option '--guess-fstype' ..etc $ mount --guess-fstype /root/.foo/../../dev/sda1 mount: unrecognized option '--guess-fstype' ..etc $ mount /root/.ssh/../../dev/cdrom /root/.ssh/../../dev/cdrom: Permission denied $ mount /root/.foo/../../dev/cdrom /root/.foo/../../dev/cdrom: Permission denied $ mount /root/.ssh/../../dev/sr0 /root/.ssh/../../dev/sr0: Permission denied Mounting usb stick/hdd from the DE still works OK and 'mount' as regular user shows the mount points. --guess-fstype fails as root also though, is this the correct fix? (In reply to claire robinson from comment #10) > --guess-fstype fails as root also though, is this the correct fix? Yes, it was an undocumented option that in the code previously said that it may be removed again later, and indeed it has been removed now.
David Walser
2013-04-25 13:41:59 CEST
Whiteboard:
feedback has_procedure =>
has_procedure Please file another bug for the uuidd issue. Bug 9867 created but seems likely to be a trivial fix
David Walser
2013-04-25 15:56:12 CEST
Blocks:
(none) =>
9867 uuidd issue fixed, new package uploaded. Advisory: ======================== Updated util-linux packages fix security vulnerability: An information disclosure flaw was found in the way the mount command reported errors. A local attacker could use this flaw to determine the existence of files and directories they do not have access to (CVE-2013-0157). Additionally, an error in the init script for the uuidd service was corrected. The error affected systemd's ability to tell that the service is running. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0157 https://rhn.redhat.com/errata/RHSA-2013-0517.html ======================== Updated packages in core/updates_testing: ======================== util-linux-2.21.1-1.2.mga2 libblkid1-2.21.1-1.2.mga2 libblkid-devel-2.21.1-1.2.mga2 libuuid1-2.21.1-1.2.mga2 libuuid-devel-2.21.1-1.2.mga2 uuidd-2.21.1-1.2.mga2 libmount1-2.21.1-1.2.mga2 libmount-devel-2.21.1-1.2.mga2 from util-linux-2.21.1-1.2.mga2.src.rpm Testing complete mga2 64 Confirmed the uuidd fix and CVE still closed, thanks David. Whiteboard:
has_procedure =>
has_procedure mga2-64-ok Testing complete mga2 32 Validating Advisory & SRPM in comment 14 Could sysadmin please push from core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0126 Status:
NEW =>
RESOLVED |