Bug 12983 - udisks, udisks2 new security issue CVE-2014-0004
: udisks, udisks2 new security issue CVE-2014-0004
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/590187/
: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-10 15:58 CET by David Walser
Modified: 2014-03-15 17:37 CET (History)
4 users (show)

See Also:
Source RPM: udisks, udisks2
CVE:
Status comment:


Attachments

Description David Walser 2014-03-10 15:58:37 CET
Upstream has released new versions of udisks, 1.0.5 and 2.1.3:
http://lists.freedesktop.org/archives/devkit-devel/2014-March/001568.html

They fix a serious security issue that allows local users to execute arbitrary code as root.

Patches are available and a CVE has been assigned:
http://openwall.com/lists/oss-security/2014/03/10/1

Updated packages uploaded for Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated udisks and udisks2 packages fix security vulnerabilities:

A flaw was found in the way udisks and udisks2 handled long path names. A
malicious, local user could use this flaw to create a specially-crafted
directory structure that could lead to arbitrary code execution with the
privileges of the udisks daemon (root) (CVE-2014-0004).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0004
https://bugzilla.redhat.com/show_bug.cgi?id=1049703
========================

Updated packages in core/updates_testing:
========================
udisks-1.0.4-10.1.mga3
udisks-devel-1.0.4-10.1.mga3
udisks2-2.0.1-2.1.mga3
libudisks2_0-2.0.1-2.1.mga3
libudisks-gir2.0-2.0.1-2.1.mga3
libudisks2-devel-2.0.1-2.1.mga3
udisks-1.0.4-11.1.mga4
udisks-devel-1.0.4-11.1.mga4
udisks2-2.1.1-2.1.mga4
libudisks2_0-2.1.1-2.1.mga4
libudisks-gir2.0-2.1.1-2.1.mga4
libudisks2-devel-2.1.1-2.1.mga4

from SRPMS:
udisks-1.0.4-10.1.mga3.src.rpm
udisks2-2.0.1-2.1.mga3.src.rpm
udisks-1.0.4-11.1.mga4.src.rpm
udisks2-2.1.1-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-10 16:42:43 CET
Ubuntu has issued an advisory for this today (March 10):
http://www.ubuntu.com/usn/usn-2142-1/

They noted that for them it should just be a DoS issue rather than allowing arbitrary code execution, because of the compiler flags they use.  For other issues where this has been the case in the past, it has been true for us as well.  That would reduce the severity of this.
Comment 2 Marc Lattemann 2014-03-10 22:58:02 CET
don't know how to test this...

Installed all packages without any error and a USB stick will be still mounted in MGA4 32bit XFCE (VBox) to /run/media/marc/Stick/

What else could be done for testing? Please let me know,
Comment 3 Marc Lattemann 2014-03-14 23:51:50 CET
Installed all updated packages in MGA4 64bit and USB-stick is mounted automatically. Until now other test procedures known I will mark as tested successfully.


However logfile shows when restart rtkit-daemon.service

Mar 14 23:43:32 localhost systemd[1]: [/usr/lib/systemd/system/rtkit-daemon.service:32] Unknown lvalue 'ControlGroup' in section 'Service'

but this was also present in previous version, so no regression...
Comment 4 Marc Lattemann 2014-03-15 00:08:17 CET
installed all packages without any error for mga3 32bit and 64bit. Also the error mentioned in Comment #3 is not present in both mga3

If not objections regarding the test procedure this update can be validated after advisory from Comment #0 is uploaded, to get security update pushed.
Comment 5 Dave Hodgins 2014-03-15 01:53:42 CET
Advisory added to svn. Validating the update.

Someone from the sysadmin team please push 12983.adv to updates.
Comment 6 Thomas Backlund 2014-03-15 17:37:17 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0129.html

Note You need to log in before you can comment on or make changes to this bug.