[v3.1] busybox: modprobe wrongly accepts paths as module names (CVE-2014-9645)
modprobe uses the “basename” of the module argument as the module to load, as can be seen here:
bbox:~# lsmod | grep vfat
bbox:~# modprobe foo/bar/baz/vfat
bbox:~# lsmod | grep vfat
vfat 17135 0
fat 61984 1 vfat
bbox:~# find /lib/modules/`uname -r` -name vfat.ko
/lib/modules/3.18.0-rc5+/vfat.ko
It should instead fail to load the module — actually fail to find the
module.
This is fixed upstream, so v1.23.0 and later are not already vulnerable.
References:
http://seclists.org/oss-sec/2015/q1/256
https://security-tracker.debian.org/tracker/CVE-2014-9645
CONFIRM: https://bugs.busybox.net/show\_bug.cgi?id=7652
CONFIRM:
http://git.busybox.net/busybox/commit/?id=4e314faa0aecb66717418e9a47a4451aec59262b
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776186
(from redmine: issue id 3877, created on 2015-02-02, closed on 2017-05-17)
- Relations:
- parent #3873
- Changesets:
- Revision 124a4339 by Natanael Copa on 2015-03-20T12:08:56Z:
main/busybox: security fix for CVE-2014-9645
fixes #3877