Bug 1168485 (CVE-2014-9114) - CVE-2014-9114 util-linux: command injection flaw in blkid
Summary: CVE-2014-9114 util-linux: command injection flaw in blkid
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-9114
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1168490
Blocks: 1168492
TreeView+ depends on / blocked
 
Reported: 2014-11-27 06:04 UTC by Murray McAllister
Modified: 2019-09-29 13:24 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-22 11:14:24 UTC


Attachments (Terms of Use)

Description Murray McAllister 2014-11-27 06:04:55 UTC
Sebastian Krahmer reported a command injection flaw in blkid. This could possibly result in command execution with root privileges (for example, when running blkid on a malicious USB drive):

http://www.openwall.com/lists/oss-security/2014/11/26/13

Comment 1 Murray McAllister 2014-11-27 06:21:58 UTC
Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1168490]

Comment 2 Murray McAllister 2014-11-27 06:23:14 UTC
Tested on Fedora, seems it will be affected. I am not aware of any patches.

Comment 3 Karel Zak 2014-11-27 09:23:54 UTC
(In reply to Murray McAllister from comment #0)
> Sebastian Krahmer reported a command injection flaw in blkid. This could
> possibly result in command execution with root privileges (for example, when
> running blkid on a malicious USB drive):
> 
> http://www.openwall.com/lists/oss-security/2014/11/26/13

This is not true, udev never ever call "blkid -o udev", it always call blkid command with -p to *avoid* blkid cache usage.

Comment 4 Karel Zak 2014-11-27 12:21:17 UTC
And we don't use blkid binary in recent udevd at all, it's directly linked with  libblkid and it does not use cached results at all.

Comment 5 Karel Zak 2014-11-27 13:12:58 UTC
Fixed in upstream tree, commit:

https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc

Comment 6 Murray McAllister 2014-11-27 13:18:35 UTC
(In reply to Karel Zak from comment #5)
> Fixed in upstream tree, commit:
> 
> https://github.com/karelzak/util-linux/commit/
> 89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc

Hi Karel,

Thank you for the info and patch!

Comment 7 Ján Rusnačko 2014-12-01 21:33:42 UTC
RHEL 5 is not affected by this, as blkid does not have option to format output as key=value to be eval`d. Only permitted options are value, device and full.

RHEL 6 is affected. As Karel mentioned, udev calls with -p, so the only suspicious call I found is in dracut-functions:

    138 get_fs_env() {
    139     if [[ -x /lib/udev/vol_id ]]; then
    140 	eval $(/lib/udev/vol_id --export $1)
    141     elif find_binary blkid >/dev/null; then
    142 	eval $(blkid -o udev $1)
    143     else
    144 	return 1
    145     fi
    146 }

To trigger this code, one has to call `dracut --hostonly`, which forces sequential scan of entries in /proc/mounts. The scan continues until it finds entry which corresponds to /. Each entry passes through get_fs_env(), so if any of the devices up to and including / in /proc/mounts contain filesystem with malicious label, running dracut with hostonly would result in execution of command in malicious label. Content in /proc/mounts is appended, so malicious USB should not be an issue.

RHEL 7 is affected, but I haven`t found any code which would eval the output from blkid -o udev.

Comment 11 Fedora Update System 2014-12-04 06:24:13 UTC
util-linux-2.24.2-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2014-12-15 04:33:45 UTC
util-linux-2.25.2-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Ján Rusnačko 2015-10-19 12:39:12 UTC
Statement:

This issue affects the versions of util-linux as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. Because exploitability of this issue requires conditions unlikely to occur, this issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.