Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1534893 - RHEL7: util-linux: mount/unmount ASLR bypass via environment variable in libmount
RHEL7: util-linux: mount/unmount ASLR bypass via environment variable in libm...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: util-linux (Show other bugs)
7.4
All Linux
low Severity low
: rc
: ---
Assigned To: Karel Zak
Radka Skvarilova
impact=low,public=20180111,reported=2...
: Security
Depends On: 1534076 1534077
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-16 03:45 EST by Karel Zak
Modified: 2018-04-10 13:28 EDT (History)
7 users (show)

See Also:
Fixed In Version: util-linux-2.23.2-50.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1534076
Environment:
Last Closed: 2018-04-10 13:27:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0936 None None None 2018-04-10 13:28 EDT

  None (edit)
Description Karel Zak 2018-01-16 03:45:44 EST 
+++ This bug was initially created as a clone of Bug #1534076 +++

Debugging of libmount can be activated, also in SUID binaries, thus spilling out the heap addresses. This allows to create a local domain socket with only 4k buffer size, fill it up until writes are blocking and then start umount with that socket as stdout. This allows race-free reading of the address output before umount accesses other user-controlled resource. Thus any error during the downstream procedure creating some kind of write-where vulnerability will always find the correct target.

References:
https://www.spinics.net/lists/util-linux-ng/msg14978.html

--- Additional comment from Laura Pardo on 2018-01-12 19:14:03 EST ---

Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1534077]
Comment 9 errata-xmlrpc 2018-04-10 13:27:15 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0936
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.