7073 – udisks missing update for security issue CVE-2010-4661

Bug 7073 - udisks missing update for security issue CVE-2010-4661

Summary: udisks missing update for security issue CVE-2010-4661

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	1
Hardware:	i586 Linux

Priority:	High Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://lwn.net/Vulnerabilities/440678/
Whiteboard:
Keywords:

Depends on:
Blocks:	7221
	Show dependency tree / graph

Reported:	2012-08-16 00:11 CEST by David Walser
Modified:	2012-08-30 12:00 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	udisks-1.0.2-3.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-08-16 00:11:04 CEST

OpenSuSE has issued an advisory on April 29, 2011:
http://lists.opensuse.org/opensuse-updates/2011-04/msg00082.html

Patched package uploaded for Mageia 1.

Advisory:
========================

Updated udisks packages fix security vulnerability:

Sebastian Krahmer reported that the udisks service (via D-BUS) could be
used to load arbitrary Linux kernel modules (CVE-2010-4661).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4661
http://lists.opensuse.org/opensuse-updates/2011-04/msg00082.html
========================

Updated packages in core/updates_testing:
========================
udisks-1.0.2-3.1.mga1
udisks-devel-1.0.2-3.1.mga1

from udisks-1.0.2-3.1.mga1.src.rpm

Comment 1 Dave Hodgins 2012-08-22 03:32:43 CEST

Looking at https://bugzilla.novell.com/show_bug.cgi?id=653900#c1
If I understand correctly

dbus-send --system --print-reply --dest=org.freedesktop.UDisks          \
                   /org/freedesktop/UDisks/devices/sr0                  \
                   org.freedesktop.UDisks.Device.FilesystemMount        \
                   string:'vfat' array:string:''

On a system where the vfat kernel module was not already loaded, should
result in the vfat module getting loaded, but this is not happening,
so I can't recreate the problem.

As I can't recreate the problem, just testing that udisks is working,
by confirming that a cd is mounted when inserted, while running lxde.

Testing complete on Mageia 1 i586.

I'll test Mageia 1 x86-64 shortly.

CC: (none) => davidwhodgins
Whiteboard: (none) => MGA1-32-OK

Comment 2 Dave Hodgins 2012-08-22 03:51:08 CEST

Testing complete on Mageia 1 x86-64.

Could someone from the sysadmin team push the srpm
udisks-1.0.2-3.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated udisks packages fix security vulnerability:

Sebastian Krahmer reported that the udisks service (via D-BUS) could be
used to load arbitrary Linux kernel modules (CVE-2010-4661).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4661
http://lists.opensuse.org/opensuse-updates/2011-04/msg00082.html

https://bugs.mageia.org/show_bug.cgi?id=7073

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1-32-OK => MGA1-32-OK MGA1-64-OK

Comment 3 Thomas Backlund 2012-08-23 10:10:02 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0234

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 4 Thomas Backlund 2012-08-28 14:51:46 CEST

Re-opening as this CVE fix broke ntfs mounting:
https://bugs.mageia.org/show_bug.cgi?id=7221

Keywords: validated_update => (none)
Priority: Normal => High
Status: RESOLVED => REOPENED
Blocks: (none) => 7221
Resolution: FIXED => (none)
Whiteboard: MGA1-32-OK MGA1-64-OK => (none)

Comment 5 David Walser 2012-08-28 18:50:16 CEST

Thanks for letting me know.  The suggested fix has been applied and it's building now.

udisks-1.0.2-3.2.mga1

Comment 6 Thomas Backlund 2012-08-30 12:00:32 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0234-2

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.