Bug 8615 - util-linux - mount folder existence information disclosure (CVE-2013-0157)
: util-linux - mount folder existence information disclosure (CVE-2013-0157)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/539441/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
: 9867
  Show dependency treegraph
 
Reported: 2013-01-06 21:28 CET by Oden Eriksson
Modified: 2013-05-02 19:10 CEST (History)
4 users (show)

See Also:
Source RPM: util-linux-2.21.1-1.mga2.src.rpm
CVE:


Attachments
the fix (4.41 KB, patch)
2013-01-06 22:17 CET, Oden Eriksson
Details | Diff

Description Oden Eriksson 2013-01-06 21:28:26 CET
https://bugzilla.redhat.com/show_bug.cgi?id=892330

"Kurt Seifried 2013-01-06 13:00:55 EST

This was originally reported by Jann Horn (jannhorn@googlemail.com):

mount discloses information about folders not accessible for a user:

$ ls -ld /root/.ssh
ls: cannot access /root/.ssh: Permission denied
$ ls -ld /root/.foo
ls: cannot access /root/.foo: Permission denied

First variant:

$ mount --guess-fstype /root/.ssh/../../dev/sda1
ext4
$ mount --guess-fstype /root/.foo/../../dev/sda1
unknown

Second one:

$ mount /root/.ssh/../../dev/cdrom
mount: no medium found on /dev/sr0
$ mount /root/.foo/../../dev/cdrom
mount: can't find /root/.foo/../../dev/cdrom in /etc/fstab or /etc/mtab

These issues were, as far as I can see, fixed in the following upstream commits:
 - 0377ef91270d06592a0d4dd009c29e7b1ff9c9b8
 - 33c5fd0c5a774458470c86f9d318d8c48a9c9ccb
 - 5ebbc3865d1e53ef42e5f121c41faab23dd59075
 - cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f

External references:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697464"
Comment 1 Oden Eriksson 2013-01-06 22:17:26 CET
Created attachment 3325 [details]
the fix

The fix was taken from util-linux-2.22.2, but won't help since /bin/mount and /bin/umount both has the suid bit set...
Comment 2 David Walser 2013-02-21 23:05:37 CET
RedHat has issued an advisory for this today (February 21):
https://rhn.redhat.com/errata/RHSA-2013-0517.html

They reference 4 upstream commits:
https://bugzilla.redhat.com/show_bug.cgi?id=892330

It looks like some of that is in our Cauldron package, and some is not, and none of it is in our Mageia 2 package.
Comment 3 David Walser 2013-02-21 23:06:02 CET
LWN reference:
http://lwn.net/Vulnerabilities/539441/
Comment 4 David Walser 2013-04-19 16:12:26 CEST
Our Cauldron package is not vulnerable to this.
Comment 5 David Walser 2013-04-19 16:43:00 CEST
Confirmed our Mageia 2 package is vulnerable.

Patched package uploaded for Mageia 2.

Patch added to Mageia 1 SVN.

Advisory:
========================

Updated util-linux packages fix security vulnerability:

An information disclosure flaw was found in the way the mount command
reported errors. A local attacker could use this flaw to determine the
existence of files and directories they do not have access to
(CVE-2013-0157).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0157
https://rhn.redhat.com/errata/RHSA-2013-0517.html
========================

Updated packages in core/updates_testing:
========================
util-linux-2.21.1-1.1.mga2
libblkid1-2.21.1-1.1.mga2
libblkid-devel-2.21.1-1.1.mga2
libuuid1-2.21.1-1.1.mga2
libuuid-devel-2.21.1-1.1.mga2
uuidd-2.21.1-1.1.mga2
libmount1-2.21.1-1.1.mga2
libmount-devel-2.21.1-1.1.mga2

from util-linux-2.21.1-1.1.mga2.src.rpm
Comment 6 Oden Eriksson 2013-04-20 11:57:19 CEST
And, what about the suid bit as in  Comment 1 ?
Comment 7 David Walser 2013-04-20 13:01:29 CEST
(In reply to Oden Eriksson from comment #6)
> And, what about the suid bit as in  Comment 1 ?

The patch I used was different than yours.  Do the PoC's from Comment 0 still work with the update or not?
Comment 8 claire robinson 2013-04-25 12:13:08 CEST
Testing mga2 64

Some issues with systemd, see below.

Before
------
$ ls -ld /root/.ssh
ls: cannot access /root/.ssh: Permission denied
$ ls -ld /root/.foo
ls: cannot access /root/.foo: Permission denied

$ mount --guess-fstype /root/.ssh/../../dev/sda1
ext3
$ mount --guess-fstype /root/.foo/../../dev/sda1
unknown

$ mount /root/.ssh/../../dev/cdrom
mount: can't find /root/.ssh/../../dev/cdrom in /etc/fstab or /etc/mtab
$  mount /root/.foo/../../dev/cdrom
mount: can't find /root/.foo/../../dev/cdrom in /etc/fstab or /etc/mtab
$ mount /root/.ssh/../../dev/sr0
mount: can't find /root/.ssh/../../dev/sr0 in /etc/fstab or /etc/mtab


Comparing the output of blkid as root, before and after. Also checking uuidd daemon and output of some commands from "urpmf util-linux | grep bin" such as dmesg, fdisk, logger, whereis


# service uuidd start
Starting uuidd (via systemctl):  Job failed. See system journal and 'systemctl status' for details.                                     [FAILED]

# systemctl status uuidd.service
uuidd.service - LSB: UUID daemon
          Loaded: loaded (/etc/rc.d/init.d/uuidd)
          Active: failed (Result: resources) since Thu, 25 Apr 2013 10:41:25 +0100; 11s ago
         Process: 23971 ExecStart=/etc/rc.d/init.d/uuidd start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/uuidd.service

# tail /var/log/syslog
Apr 25 10:41:25 localhost uuidd[23971]: Starting uuidd: [  OK  ]
Apr 25 10:41:25 localhost systemd[1]: PID file /var/lib/libuuid/uuidd.pid not readable (yet?) after start.
Apr 25 10:41:25 localhost systemd[1]: Unit uuidd.service entered failed state.

# ps aux | grep uuid
uuidd    24000  0.0  0.0  14376    96 ?        Ss   10:41   0:00 /usr/sbin/uuidd

# ll /var/lib/libuuid/uuidd.pid
ls: cannot access /var/lib/libuuid/uuidd.pid: No such file or directory


So, it appears to actually be starting from the init file but systemd isn't finding the pid file and declares a failure. /var/lib/libuuid/ is empty. Directory ownership seems OK but the path for pid file is incorrect as the init file is set to /var/run/uuidd/uuidd.pid.

# ll -d /var/lib/libuuid
drwxrwsr-x 2 uuidd uuidd 4096 Apr  8  2012 /var/lib/libuuid/

From /etc/init.d/uuidd..

# pidfile: /var/lib/libuuid/uuidd.pid

daemon --user uuidd --pidfile /var/run/uuidd/uuidd.pid /usr/sbin/uuidd


Some tests..
# uuidd -r << returns a random uuid
bae72f3e-7699-4f97-b162-5f554c6993ef

# uuidd -t << returns a  time based uuid
108bec70-ad8e-11e2-a5da-00218514ca4e


After
-----
All OK apart from uuidd, same issue.
Comment 9 claire robinson 2013-04-25 12:19:01 CEST
Forgot to post the results of PoC after..

$ mount --guess-fstype /root/.ssh/../../dev/sda1
mount: unrecognized option '--guess-fstype'
..etc

$ mount --guess-fstype /root/.foo/../../dev/sda1
mount: unrecognized option '--guess-fstype'
..etc

$ mount /root/.ssh/../../dev/cdrom
/root/.ssh/../../dev/cdrom: Permission denied

$ mount /root/.foo/../../dev/cdrom
/root/.foo/../../dev/cdrom: Permission denied

$ mount /root/.ssh/../../dev/sr0
/root/.ssh/../../dev/sr0: Permission denied

Mounting usb stick/hdd from the DE still works OK and 'mount' as regular user shows the mount points.
Comment 10 claire robinson 2013-04-25 12:21:00 CEST
--guess-fstype fails as root also though, is this the correct fix?
Comment 11 David Walser 2013-04-25 13:41:47 CEST
(In reply to claire robinson from comment #10)
> --guess-fstype fails as root also though, is this the correct fix?

Yes, it was an undocumented option that in the code previously said that it may be removed again later, and indeed it has been removed now.
Comment 12 David Walser 2013-04-25 13:42:42 CEST
Please file another bug for the uuidd issue.
Comment 13 claire robinson 2013-04-25 14:03:24 CEST
Bug 9867 created but seems likely to be a trivial fix
Comment 14 David Walser 2013-04-25 20:25:13 CEST
uuidd issue fixed, new package uploaded.

Advisory:
========================

Updated util-linux packages fix security vulnerability:

An information disclosure flaw was found in the way the mount command
reported errors. A local attacker could use this flaw to determine the
existence of files and directories they do not have access to
(CVE-2013-0157).

Additionally, an error in the init script for the uuidd service was
corrected.  The error affected systemd's ability to tell that the
service is running.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0157
https://rhn.redhat.com/errata/RHSA-2013-0517.html
========================

Updated packages in core/updates_testing:
========================
util-linux-2.21.1-1.2.mga2
libblkid1-2.21.1-1.2.mga2
libblkid-devel-2.21.1-1.2.mga2
libuuid1-2.21.1-1.2.mga2
libuuid-devel-2.21.1-1.2.mga2
uuidd-2.21.1-1.2.mga2
libmount1-2.21.1-1.2.mga2
libmount-devel-2.21.1-1.2.mga2

from util-linux-2.21.1-1.2.mga2.src.rpm
Comment 15 claire robinson 2013-05-01 17:27:51 CEST
Testing complete mga2 64

Confirmed the uuidd fix and CVE still closed, thanks David.
Comment 16 claire robinson 2013-05-01 17:32:58 CEST
Testing complete mga2 32

Validating

Advisory & SRPM in comment 14

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 17 Thomas Backlund 2013-05-02 19:10:51 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0126

Note You need to log in before you can comment on or make changes to this bug.