Bug 1589839 – CVE-2014-5220 mdadm: Improper sanitization of device names allows arbitrary command execution

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1589839 - (CVE-2014-5220) CVE-2014-5220 mdadm: Improper sanitization of device names allows arbitrary command execution

Summary:	CVE-2014-5220 mdadm: Improper sanitization of device names allows arbitrary c...

Status:	CLOSED NOTABUG

Aliases:	CVE-2014-5220

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20141217,repor...
Keywords:	Security

Depends On:
Blocks:	1590393
	Show dependency tree / graph

Reported:	2018-06-11 09:43 EDT by Adam Mariš
Modified:	2018-06-15 17:36 EDT (History)
CC List:	7 users (show)

See Also:
Fixed In Version:	mdadm 3.3.3
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-06-11 09:46:10 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2018-06-11 09:43:05 EDT

The mdcheck script of the mdadm package for openSUSE 13.2 prior to version 3.3.1-5.14.1 does not properly sanitize device names, which allows local attackers to execute arbitrary commands as root.

Bug report:

https://bugzilla.suse.com/show_bug.cgi?id=910500

Comment 1 Adam Mariš 2018-06-11 11:55:12 EDT

Upstream patch:

https://github.com/mapcollab/mdadm/commit/979b1feb093b1c2e0f8b58716329f2da092741d4

Comment 2 Tomas Hoger 2018-06-12 17:06:20 EDT

The mdcheck script was added to mdadm in the upstream version 3.3.1, and it was fixed via the the commit linked above in upstream version 3.3.3.

Comment 3 Tomas Hoger 2018-06-15 17:36:33 EDT

Affected upstream versions of mdadm were included in Red Hat Enterprise Linux 6.7, 7.1, and 7.2.

However, in the Red Hat Enterprise Linux mdadm packages, the mdcheck script is only included in the /usr/share/doc/mdadm* directory and is not installed executable.  Therefore, it is not used by default, and is not expected to be commonly used.

Note You need to log in before you can comment on or make changes to this bug.