https://bugzilla.redhat.com/show_bug.cgi?id=892330 "Kurt Seifried 2013-01-06 13:00:55 EST This was originally reported by Jann Horn (jannhorn@googlemail.com): mount discloses information about folders not accessible for a user: $ ls -ld /root/.ssh ls: cannot access /root/.ssh: Permission denied $ ls -ld /root/.foo ls: cannot access /root/.foo: Permission denied First variant: $ mount --guess-fstype /root/.ssh/../../dev/sda1 ext4 $ mount --guess-fstype /root/.foo/../../dev/sda1 unknown Second one: $ mount /root/.ssh/../../dev/cdrom mount: no medium found on /dev/sr0 $ mount /root/.foo/../../dev/cdrom mount: can't find /root/.foo/../../dev/cdrom in /etc/fstab or /etc/mtab These issues were, as far as I can see, fixed in the following upstream commits: - 0377ef91270d06592a0d4dd009c29e7b1ff9c9b8 - 33c5fd0c5a774458470c86f9d318d8c48a9c9ccb - 5ebbc3865d1e53ef42e5f121c41faab23dd59075 - cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f External references: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697464"
Created attachment 3325 [details] the fix The fix was taken from util-linux-2.22.2, but won't help since /bin/mount and /bin/umount both has the suid bit set...
CC: (none) => luigiwalser
CC: (none) => tmb
CC: (none) => thierry.vignaud
Summary: CVE-2013-0157: util-linux - mount folder existence information disclosure => util-linux - mount folder existence information disclosure (CVE-2013-0157)
RedHat has issued an advisory for this today (February 21): https://rhn.redhat.com/errata/RHSA-2013-0517.html They reference 4 upstream commits: https://bugzilla.redhat.com/show_bug.cgi?id=892330 It looks like some of that is in our Cauldron package, and some is not, and none of it is in our Mageia 2 package.
LWN reference: http://lwn.net/Vulnerabilities/539441/
Source RPM: (none) => util-linux-2.22.2-3.mga3.src.rpm
Version: 2 => CauldronWhiteboard: (none) => MGA2TOO
Our Cauldron package is not vulnerable to this.
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
Confirmed our Mageia 2 package is vulnerable. Patched package uploaded for Mageia 2. Patch added to Mageia 1 SVN. Advisory: ======================== Updated util-linux packages fix security vulnerability: An information disclosure flaw was found in the way the mount command reported errors. A local attacker could use this flaw to determine the existence of files and directories they do not have access to (CVE-2013-0157). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0157 https://rhn.redhat.com/errata/RHSA-2013-0517.html ======================== Updated packages in core/updates_testing: ======================== util-linux-2.21.1-1.1.mga2 libblkid1-2.21.1-1.1.mga2 libblkid-devel-2.21.1-1.1.mga2 libuuid1-2.21.1-1.1.mga2 libuuid-devel-2.21.1-1.1.mga2 uuidd-2.21.1-1.1.mga2 libmount1-2.21.1-1.1.mga2 libmount-devel-2.21.1-1.1.mga2 from util-linux-2.21.1-1.1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
URL: (none) => http://lwn.net/Vulnerabilities/539441/Source RPM: util-linux-2.22.2-3.mga3.src.rpm => util-linux-2.21.1-1.mga2.src.rpm
And, what about the suid bit as in Comment 1 ?
(In reply to Oden Eriksson from comment #6) > And, what about the suid bit as in Comment 1 ? The patch I used was different than yours. Do the PoC's from Comment 0 still work with the update or not?
Testing mga2 64 Some issues with systemd, see below. Before ------ $ ls -ld /root/.ssh ls: cannot access /root/.ssh: Permission denied $ ls -ld /root/.foo ls: cannot access /root/.foo: Permission denied $ mount --guess-fstype /root/.ssh/../../dev/sda1 ext3 $ mount --guess-fstype /root/.foo/../../dev/sda1 unknown $ mount /root/.ssh/../../dev/cdrom mount: can't find /root/.ssh/../../dev/cdrom in /etc/fstab or /etc/mtab $ mount /root/.foo/../../dev/cdrom mount: can't find /root/.foo/../../dev/cdrom in /etc/fstab or /etc/mtab $ mount /root/.ssh/../../dev/sr0 mount: can't find /root/.ssh/../../dev/sr0 in /etc/fstab or /etc/mtab Comparing the output of blkid as root, before and after. Also checking uuidd daemon and output of some commands from "urpmf util-linux | grep bin" such as dmesg, fdisk, logger, whereis # service uuidd start Starting uuidd (via systemctl): Job failed. See system journal and 'systemctl status' for details. [FAILED] # systemctl status uuidd.service uuidd.service - LSB: UUID daemon Loaded: loaded (/etc/rc.d/init.d/uuidd) Active: failed (Result: resources) since Thu, 25 Apr 2013 10:41:25 +0100; 11s ago Process: 23971 ExecStart=/etc/rc.d/init.d/uuidd start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/uuidd.service # tail /var/log/syslog Apr 25 10:41:25 localhost uuidd[23971]: Starting uuidd: [ OK ] Apr 25 10:41:25 localhost systemd[1]: PID file /var/lib/libuuid/uuidd.pid not readable (yet?) after start. Apr 25 10:41:25 localhost systemd[1]: Unit uuidd.service entered failed state. # ps aux | grep uuid uuidd 24000 0.0 0.0 14376 96 ? Ss 10:41 0:00 /usr/sbin/uuidd # ll /var/lib/libuuid/uuidd.pid ls: cannot access /var/lib/libuuid/uuidd.pid: No such file or directory So, it appears to actually be starting from the init file but systemd isn't finding the pid file and declares a failure. /var/lib/libuuid/ is empty. Directory ownership seems OK but the path for pid file is incorrect as the init file is set to /var/run/uuidd/uuidd.pid. # ll -d /var/lib/libuuid drwxrwsr-x 2 uuidd uuidd 4096 Apr 8 2012 /var/lib/libuuid/ From /etc/init.d/uuidd.. # pidfile: /var/lib/libuuid/uuidd.pid daemon --user uuidd --pidfile /var/run/uuidd/uuidd.pid /usr/sbin/uuidd Some tests.. # uuidd -r << returns a random uuid bae72f3e-7699-4f97-b162-5f554c6993ef # uuidd -t << returns a time based uuid 108bec70-ad8e-11e2-a5da-00218514ca4e After ----- All OK apart from uuidd, same issue.
Whiteboard: (none) => feedback has_procedure
Forgot to post the results of PoC after.. $ mount --guess-fstype /root/.ssh/../../dev/sda1 mount: unrecognized option '--guess-fstype' ..etc $ mount --guess-fstype /root/.foo/../../dev/sda1 mount: unrecognized option '--guess-fstype' ..etc $ mount /root/.ssh/../../dev/cdrom /root/.ssh/../../dev/cdrom: Permission denied $ mount /root/.foo/../../dev/cdrom /root/.foo/../../dev/cdrom: Permission denied $ mount /root/.ssh/../../dev/sr0 /root/.ssh/../../dev/sr0: Permission denied Mounting usb stick/hdd from the DE still works OK and 'mount' as regular user shows the mount points.
--guess-fstype fails as root also though, is this the correct fix?
(In reply to claire robinson from comment #10) > --guess-fstype fails as root also though, is this the correct fix? Yes, it was an undocumented option that in the code previously said that it may be removed again later, and indeed it has been removed now.
Whiteboard: feedback has_procedure => has_procedure
Please file another bug for the uuidd issue.
Bug 9867 created but seems likely to be a trivial fix
Blocks: (none) => 9867
uuidd issue fixed, new package uploaded. Advisory: ======================== Updated util-linux packages fix security vulnerability: An information disclosure flaw was found in the way the mount command reported errors. A local attacker could use this flaw to determine the existence of files and directories they do not have access to (CVE-2013-0157). Additionally, an error in the init script for the uuidd service was corrected. The error affected systemd's ability to tell that the service is running. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0157 https://rhn.redhat.com/errata/RHSA-2013-0517.html ======================== Updated packages in core/updates_testing: ======================== util-linux-2.21.1-1.2.mga2 libblkid1-2.21.1-1.2.mga2 libblkid-devel-2.21.1-1.2.mga2 libuuid1-2.21.1-1.2.mga2 libuuid-devel-2.21.1-1.2.mga2 uuidd-2.21.1-1.2.mga2 libmount1-2.21.1-1.2.mga2 libmount-devel-2.21.1-1.2.mga2 from util-linux-2.21.1-1.2.mga2.src.rpm
Testing complete mga2 64 Confirmed the uuidd fix and CVE still closed, thanks David.
Whiteboard: has_procedure => has_procedure mga2-64-ok
Testing complete mga2 32 Validating Advisory & SRPM in comment 14 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-okCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0126
Status: NEW => RESOLVEDResolution: (none) => FIXED