[v2.2] Multiple vulnerabilities in util-linux allows information disclosure
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0157
https://bugzilla.redhat.com/show\_bug.cgi?id=892330
This was originally reported by Jann Horn (jannhorn@googlemail.com):
mount discloses information about folders not accessible for a user:
$ ls -ld /root/.ssh
ls: cannot access /root/.ssh: Permission denied
$ ls -ld /root/.foo
ls: cannot access /root/.foo: Permission denied
First variant:
$ mount —guess-fstype /root/.ssh/../../dev/sda1
ext4
$ mount —guess-fstype /root/.foo/../../dev/sda1
unknown
Second one:
$ mount /root/.ssh/../../dev/cdrom
mount: no medium found on /dev/sr0
$ mount /root/.foo/../../dev/cdrom
mount: can’t find /root/.foo/../../dev/cdrom in /etc/fstab or /etc/mtab
The following upstream commits address this issue:
(For both util-linux as well as util-linux-ng)
-
Adds canonicalize_path_restricted() to canonicalize without suid permisssions
http://git.kernel.org/?p=utils/util-linux/util-linux.git;a=commit;h=33c5fd0c5a774458470c86f9d318d8c48a9c9ccb -
sanitize path for non-root users (mount):
http://git.kernel.org/?p=utils/util-linux/util-linux.git;a=commit;h=5ebbc3865d1e53ef42e5f121c41faab23dd59075 -
sanitize path for non-root users (umount):
http://git.kernel.org/?p=utils/util-linux/util-linux.git;a=commit;h=cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f -
drop the —guess-fstype option:
http://git.kernel.org/?p=utils/util-linux/util-linux.git;a=commit;h=0377ef91270d06592a0d4dd009c29e7b1ff9c9b8
(from redmine: issue id 1829, created on 2013-04-30, closed on 2013-05-21)
- Relations:
- parent #1825 (closed)