Bug 1589839 (CVE-2014-5220)
Summary: | CVE-2014-5220 mdadm: Improper sanitization of device names allows arbitrary command execution | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | agk, dledford, dmilburn, hwkernel-mgr, jes.sorensen, ncroxon, xni |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mdadm 3.3.3 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-06-11 13:46:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1590393 |
Description
Adam Mariš
2018-06-11 13:43:05 UTC
The mdcheck script was added to mdadm in the upstream version 3.3.1, and it was fixed via the the commit linked above in upstream version 3.3.3. Affected upstream versions of mdadm were included in Red Hat Enterprise Linux 6.7, 7.1, and 7.2. However, in the Red Hat Enterprise Linux mdadm packages, the mdcheck script is only included in the /usr/share/doc/mdadm* directory and is not installed executable. Therefore, it is not used by default, and is not expected to be commonly used. |