Upstream has released new versions of udisks, 1.0.5 and 2.1.3: http://lists.freedesktop.org/archives/devkit-devel/2014-March/001568.html They fix a serious security issue that allows local users to execute arbitrary code as root. Patches are available and a CVE has been assigned: http://openwall.com/lists/oss-security/2014/03/10/1 Updated packages uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated udisks and udisks2 packages fix security vulnerabilities: A flaw was found in the way udisks and udisks2 handled long path names. A malicious, local user could use this flaw to create a specially-crafted directory structure that could lead to arbitrary code execution with the privileges of the udisks daemon (root) (CVE-2014-0004). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0004 https://bugzilla.redhat.com/show_bug.cgi?id=1049703 ======================== Updated packages in core/updates_testing: ======================== udisks-1.0.4-10.1.mga3 udisks-devel-1.0.4-10.1.mga3 udisks2-2.0.1-2.1.mga3 libudisks2_0-2.0.1-2.1.mga3 libudisks-gir2.0-2.0.1-2.1.mga3 libudisks2-devel-2.0.1-2.1.mga3 udisks-1.0.4-11.1.mga4 udisks-devel-1.0.4-11.1.mga4 udisks2-2.1.1-2.1.mga4 libudisks2_0-2.1.1-2.1.mga4 libudisks-gir2.0-2.1.1-2.1.mga4 libudisks2-devel-2.1.1-2.1.mga4 from SRPMS: udisks-1.0.4-10.1.mga3.src.rpm udisks2-2.0.1-2.1.mga3.src.rpm udisks-1.0.4-11.1.mga4.src.rpm udisks2-2.1.1-2.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Ubuntu has issued an advisory for this today (March 10): http://www.ubuntu.com/usn/usn-2142-1/ They noted that for them it should just be a DoS issue rather than allowing arbitrary code execution, because of the compiler flags they use. For other issues where this has been the case in the past, it has been true for us as well. That would reduce the severity of this.
URL: (none) => http://lwn.net/Vulnerabilities/590187/
don't know how to test this... Installed all packages without any error and a USB stick will be still mounted in MGA4 32bit XFCE (VBox) to /run/media/marc/Stick/ What else could be done for testing? Please let me know,
CC: (none) => marc.lattemann
Installed all updated packages in MGA4 64bit and USB-stick is mounted automatically. Until now other test procedures known I will mark as tested successfully. However logfile shows when restart rtkit-daemon.service Mar 14 23:43:32 localhost systemd[1]: [/usr/lib/systemd/system/rtkit-daemon.service:32] Unknown lvalue 'ControlGroup' in section 'Service' but this was also present in previous version, so no regression...
Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK MGA4-64-OK
installed all packages without any error for mga3 32bit and 64bit. Also the error mentioned in Comment #3 is not present in both mga3 If not objections regarding the test procedure this update can be validated after advisory from Comment #0 is uploaded, to get security update pushed.
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK
Advisory added to svn. Validating the update. Someone from the sysadmin team please push 12983.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0129.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED