Bug 1534893

Summary: RHEL7: util-linux: mount/unmount ASLR bypass via environment variable in libmount
Product: Red Hat Enterprise Linux 7 Reporter: Karel Zak <kzak>
Component: util-linuxAssignee: Karel Zak <kzak>
Status: CLOSED ERRATA QA Contact: Radka Brychtova <rskvaril>
Severity: low Docs Contact:
Priority: low    
Version: 7.4CC: fsumsal, jonathan, kzak, lpardo, ovasik, rskvaril, security-response-team
Target Milestone: rcKeywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20180111,reported=20180111,source=oss-security,cvss3=3.6/CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N,cwe=CWE-200,fedora-all/util-linux=affected,rhel-4/util-linux=new,rhel-5/util-linux=new,rhel-6/util-linux=new,rhel-7/util-linux=new,rhel-8/util-linux=new
Fixed In Version: util-linux-2.23.2-50.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1534076 Environment:
Last Closed: 2018-04-10 17:27:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1534076, 1534077    
Bug Blocks:    

Description Karel Zak 2018-01-16 08:45:44 UTC 
+++ This bug was initially created as a clone of Bug #1534076 +++

Debugging of libmount can be activated, also in SUID binaries, thus spilling out the heap addresses. This allows to create a local domain socket with only 4k buffer size, fill it up until writes are blocking and then start umount with that socket as stdout. This allows race-free reading of the address output before umount accesses other user-controlled resource. Thus any error during the downstream procedure creating some kind of write-where vulnerability will always find the correct target.

References:
https://www.spinics.net/lists/util-linux-ng/msg14978.html

--- Additional comment from Laura Pardo on 2018-01-12 19:14:03 EST ---

Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1534077]
Comment 9 errata-xmlrpc 2018-04-10 17:27:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0936