A security issue fixed upstream in util-linux has been announced: http://openwall.com/lists/oss-security/2018/03/07/2 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the basesystem maintainers and CC'ing the registered maintainer.
Assignee: bugsquad => basesystemCC: (none) => marja11, tmb
Debian has issued an advisory for this on March 10: https://www.debian.org/security/2018/dsa-4134
Status comment: (none) => Patch available from Debian
Fedora has issued an advisory for this on March 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N76EQ5XFDZ7L4B2EBFLEF5PK476OERQB/
Whiteboard: MGA6TOO => MGA6TOO, MGA5TOOSeverity: normal => major
The version now in Cauldron (2.32) already contains this fix.
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
Mageia 5 does not contain the affected bash-completion script. Patched package uploaded for Mageia 6. Advisory: ======================== Updated util-linux packages fix security vulnerability: A command injection flaw was found in the way util-linux implements umount autocompletion in Bash. An attacker with the ability to mount a filesystem with custom mount points may execute arbitrary commands on behalf of the user who triggers the umount autocompletion (CVE-2018-7738). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N76EQ5XFDZ7L4B2EBFLEF5PK476OERQB/ ======================== Updated packages in core/updates_testing: ======================== util-linux-2.28.2-2.1.mga6 libblkid1-2.28.2-2.1.mga6 libblkid-devel-2.28.2-2.1.mga6 libuuid1-2.28.2-2.1.mga6 libuuid-devel-2.28.2-2.1.mga6 uuidd-2.28.2-2.1.mga6 python-libmount-2.28.2-2.1.mga6 libmount1-2.28.2-2.1.mga6 libmount-devel-2.28.2-2.1.mga6 libsmartcols1-2.28.2-2.1.mga6 libsmartcols-devel-2.28.2-2.1.mga6 libfdisk1-2.28.2-2.1.mga6 libfdisk-devel-2.28.2-2.1.mga6 from util-linux-2.28.2-2.1.mga6.src.rpm
Status comment: Patch available from Debian => (none)Assignee: basesystem => qa-bugsWhiteboard: MGA5TOO => (none)
MGA6-32 on Dell Latitude D600 MATE No installation issues. Ref bug 20337, there doesn't seem an easy way to test all functionality of this. I let the laptop run, switched power on an attached USB external hard disk. It appeared as expected in caja, and disappeared as promptly when I switched the device off. I cann't see anything going wrong. OK for me.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Mageia 6, x86_64 There does seem to be a way to reproduce the vulnerability but it is a complex procedure. Shall report back if that is successful.
CC: (none) => tarazed25
Not successful - reporting back anyway. CVE-2018-7738 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179 $ mkdir empty <Generate an iso for the directory empty with a special volume label. $ genisoimage -o test.iso -V '$(IFS=":";cmd="touch:foo";$cmd)' empty I: -input-charset not specified, using utf-8 (detected in locale settings) Total translation table size: 0 Total rockridge attributes bytes: 0 Total directory bytes: 0 Path table size(bytes): 10 Max brk space used 0 174 extents written (0 MB) $ udisksctl loop-setup -f test.iso Mapped file test.iso as /dev/loop0. That launches a file manager with $(IFS=":";cmd="touch:foo";$cmd)listed as a device. # ls /run/media/lcl '$(IFS=":";cmd="touch:foo";$cmd)'/ regulus/ Switch to another user. $ su # cd empty # ls -la total 8 drwxr-xr-x 2 lcl lcl 4096 May 13 08:19 ./ drwxr-xr-x 3 lcl lcl 4096 May 13 08:20 ../ # umount <Tab> ^C This displays a list of all possible completions including /run/media/lcl/\$\(IFS=\":\"\;cmd=\"touch:foo\"\;\$cmd\). # ls -la total 8 drwxr-xr-x 2 lcl lcl 4096 May 13 08:19 ./ drwxr-xr-x 3 lcl lcl 4096 May 13 08:20 ../ If the issue has not been fixed a file called foo should appear in the current directory. Not seen, which implies that the fix had already been applied. Tried various stages of completion as well with ctrl-C but no foo file. The test volume is still mounted. Running the command explicitly fails to unmount the volume but $ umount /dev/loop0 suceeds, without any side effects. # ls /run/media/lcl regulus/ So, it is not possible to reproduce the exploit; running the same test after updating should give the same result.
Updated the packages and ran the test as before. Same result (which is good) and the rogue iso could be unmounted explicitly by root. Unmounting from the desktop icon worked for a USB drive and automounting it worked. As Herman says this is about all we can do.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0237.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED