Bug 1168485 (CVE-2014-9114)

Summary: CVE-2014-9114 util-linux: command injection flaw in blkid
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jonathan, jrusnack, kzak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-22 11:14:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1168490    
Bug Blocks: 1168492    

Description Murray McAllister 2014-11-27 06:04:55 UTC 
Sebastian Krahmer reported a command injection flaw in blkid. This could possibly result in command execution with root privileges (for example, when running blkid on a malicious USB drive):

http://www.openwall.com/lists/oss-security/2014/11/26/13
Comment 1 Murray McAllister 2014-11-27 06:21:58 UTC 
Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1168490]
Comment 2 Murray McAllister 2014-11-27 06:23:14 UTC 
Tested on Fedora, seems it will be affected. I am not aware of any patches.
Comment 3 Karel Zak 2014-11-27 09:23:54 UTC 
(In reply to Murray McAllister from comment #0)
> Sebastian Krahmer reported a command injection flaw in blkid. This could
> possibly result in command execution with root privileges (for example, when
> running blkid on a malicious USB drive):
> 
> http://www.openwall.com/lists/oss-security/2014/11/26/13

This is not true, udev never ever call "blkid -o udev", it always call blkid command with -p to *avoid* blkid cache usage.
Comment 4 Karel Zak 2014-11-27 12:21:17 UTC 
And we don't use blkid binary in recent udevd at all, it's directly linked with  libblkid and it does not use cached results at all.
Comment 5 Karel Zak 2014-11-27 13:12:58 UTC 
Fixed in upstream tree, commit:

https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc
Comment 6 Murray McAllister 2014-11-27 13:18:35 UTC 
(In reply to Karel Zak from comment #5)
> Fixed in upstream tree, commit:
> 
> https://github.com/karelzak/util-linux/commit/
> 89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc

Hi Karel,

Thank you for the info and patch!
Comment 7 Ján Rusnačko 2014-12-01 21:33:42 UTC 
RHEL 5 is not affected by this, as blkid does not have option to format output as key=value to be eval`d. Only permitted options are value, device and full.

RHEL 6 is affected. As Karel mentioned, udev calls with -p, so the only suspicious call I found is in dracut-functions:

    138 get_fs_env() {
    139     if [[ -x /lib/udev/vol_id ]]; then
    140 	eval $(/lib/udev/vol_id --export $1)
    141     elif find_binary blkid >/dev/null; then
    142 	eval $(blkid -o udev $1)
    143     else
    144 	return 1
    145     fi
    146 }

To trigger this code, one has to call `dracut --hostonly`, which forces sequential scan of entries in /proc/mounts. The scan continues until it finds entry which corresponds to /. Each entry passes through get_fs_env(), so if any of the devices up to and including / in /proc/mounts contain filesystem with malicious label, running dracut with hostonly would result in execution of command in malicious label. Content in /proc/mounts is appended, so malicious USB should not be an issue.

RHEL 7 is affected, but I haven`t found any code which would eval the output from blkid -o udev.
Comment 9 Ján Rusnačko 2014-12-01 21:47:08 UTC 
References:

https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc
http://www.openwall.com/lists/oss-security/2014/11/26/13
Comment 11 Fedora Update System 2014-12-04 06:24:13 UTC 
util-linux-2.24.2-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2014-12-15 04:33:45 UTC 
util-linux-2.25.2-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Ján Rusnačko 2015-10-19 12:39:12 UTC 
Statement:

This issue affects the versions of util-linux as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. Because exploitability of this issue requires conditions unlikely to occur, this issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.