Project

General

Profile

Bug #1825

[v2.6] Multiple vulnerabilities in util-linux allows information disclosure

Added by Leonardo Arena about 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Assignee:
-
Category:
Security
Target version:
Start date:
04/30/2013
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Affected versions:
Security IDs:

Description

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0157
https://bugzilla.redhat.com/show_bug.cgi?id=892330

This was originally reported by Jann Horn ():

mount discloses information about folders not accessible for a user:

$ ls -ld /root/.ssh
ls: cannot access /root/.ssh: Permission denied
$ ls -ld /root/.foo
ls: cannot access /root/.foo: Permission denied

First variant:

$ mount --guess-fstype /root/.ssh/../../dev/sda1
ext4
$ mount --guess-fstype /root/.foo/../../dev/sda1
unknown

Second one:

$ mount /root/.ssh/../../dev/cdrom
mount: no medium found on /dev/sr0
$ mount /root/.foo/../../dev/cdrom
mount: can't find /root/.foo/../../dev/cdrom in /etc/fstab or /etc/mtab

The following upstream commits address this issue:
(For both util-linux as well as util-linux-ng)

1. Adds canonicalize_path_restricted() to canonicalize without suid permisssions
http://git.kernel.org/?p=utils/util-linux/util-linux.git;a=commit;h=33c5fd0c5a774458470c86f9d318d8c48a9c9ccb

2. sanitize path for non-root users (mount):
http://git.kernel.org/?p=utils/util-linux/util-linux.git;a=commit;h=5ebbc3865d1e53ef42e5f121c41faab23dd59075

3. sanitize path for non-root users (umount):
http://git.kernel.org/?p=utils/util-linux/util-linux.git;a=commit;h=cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f

4. drop the --guess-fstype option:
http://git.kernel.org/?p=utils/util-linux/util-linux.git;a=commit;h=0377ef91270d06592a0d4dd009c29e7b1ff9c9b8


Subtasks

Bug #1827: [v2.4] Multiple vulnerabilities in util-linux allows information disclosureClosed

Bug #1828: [v2.3] Multiple vulnerabilities in util-linux allows information disclosureClosed

Bug #1829: [v2.2] Multiple vulnerabilities in util-linux allows information disclosureRejected

History

#1 Updated by Natanael Copa about 6 years ago

  • Status changed from New to Resolved

edge and v2.6 has util-linux-2.22.2 where this appears to be fixed already.

#2 Updated by Natanael Copa about 6 years ago

  • Status changed from Resolved to Closed

#3 Updated by Natanael Copa about 6 years ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security

Also available in: Atom PDF