Bug 1589839 (CVE-2014-5220)

Summary: CVE-2014-5220 mdadm: Improper sanitization of device names allows arbitrary command execution
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agk, dledford, dmilburn, hwkernel-mgr, jes.sorensen, ncroxon, xni
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mdadm 3.3.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-11 13:46:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1590393    

Description Adam Mariš 2018-06-11 13:43:05 UTC 
The mdcheck script of the mdadm package for openSUSE 13.2 prior to version 3.3.1-5.14.1 does not properly sanitize device names, which allows local attackers to execute arbitrary commands as root.

Bug report:

https://bugzilla.suse.com/show_bug.cgi?id=910500
Comment 1 Adam Mariš 2018-06-11 15:55:12 UTC 
Upstream patch:

https://github.com/mapcollab/mdadm/commit/979b1feb093b1c2e0f8b58716329f2da092741d4
Comment 2 Tomas Hoger 2018-06-12 21:06:20 UTC 
The mdcheck script was added to mdadm in the upstream version 3.3.1, and it was fixed via the the commit linked above in upstream version 3.3.3.
Comment 3 Tomas Hoger 2018-06-15 21:36:33 UTC 
Affected upstream versions of mdadm were included in Red Hat Enterprise Linux 6.7, 7.1, and 7.2.

However, in the Red Hat Enterprise Linux mdadm packages, the mdcheck script is only included in the /usr/share/doc/mdadm* directory and is not installed executable.  Therefore, it is not used by default, and is not expected to be commonly used.