Red Hat Bugzilla – Bug 1168485
CVE-2014-9114 util-linux: command injection flaw in blkid
Last modified: 2015-10-19 08:39:12 EDT
Sebastian Krahmer reported a command injection flaw in blkid. This could possibly result in command execution with root privileges (for example, when running blkid on a malicious USB drive): http://www.openwall.com/lists/oss-security/2014/11/26/13
Created util-linux tracking bugs for this issue: Affects: fedora-all [bug 1168490]
Tested on Fedora, seems it will be affected. I am not aware of any patches.
(In reply to Murray McAllister from comment #0) > Sebastian Krahmer reported a command injection flaw in blkid. This could > possibly result in command execution with root privileges (for example, when > running blkid on a malicious USB drive): > > http://www.openwall.com/lists/oss-security/2014/11/26/13 This is not true, udev never ever call "blkid -o udev", it always call blkid command with -p to *avoid* blkid cache usage.
And we don't use blkid binary in recent udevd at all, it's directly linked with libblkid and it does not use cached results at all.
Fixed in upstream tree, commit: https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc
(In reply to Karel Zak from comment #5) > Fixed in upstream tree, commit: > > https://github.com/karelzak/util-linux/commit/ > 89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc Hi Karel, Thank you for the info and patch!
RHEL 5 is not affected by this, as blkid does not have option to format output as key=value to be eval`d. Only permitted options are value, device and full. RHEL 6 is affected. As Karel mentioned, udev calls with -p, so the only suspicious call I found is in dracut-functions: 138 get_fs_env() { 139 if [[ -x /lib/udev/vol_id ]]; then 140 eval $(/lib/udev/vol_id --export $1) 141 elif find_binary blkid >/dev/null; then 142 eval $(blkid -o udev $1) 143 else 144 return 1 145 fi 146 } To trigger this code, one has to call `dracut --hostonly`, which forces sequential scan of entries in /proc/mounts. The scan continues until it finds entry which corresponds to /. Each entry passes through get_fs_env(), so if any of the devices up to and including / in /proc/mounts contain filesystem with malicious label, running dracut with hostonly would result in execution of command in malicious label. Content in /proc/mounts is appended, so malicious USB should not be an issue. RHEL 7 is affected, but I haven`t found any code which would eval the output from blkid -o udev.
References: https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc http://www.openwall.com/lists/oss-security/2014/11/26/13
util-linux-2.24.2-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
util-linux-2.25.2-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue affects the versions of util-linux as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. Because exploitability of this issue requires conditions unlikely to occur, this issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.