Bug 1632828 – CVE-2018-17336 udisks: Format string vulnerability in udisks_log in udiskslogging.c

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1632828 - (CVE-2018-17336) CVE-2018-17336 udisks: Format string vulnerability in udisks_log in udiskslogging.c

Summary:	CVE-2018-17336 udisks: Format string vulnerability in udisks_log in udiskslog...

Status:	NEW

Aliases:	CVE-2018-17336

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180922,repor...
Keywords:	Security

Depends On:	1632831 1637427 1632829 1632830
Blocks:	1632832
	Show dependency tree / graph

Reported:	2018-09-25 11:53 EDT by Pedro Sampaio
Modified:	2018-10-24 14:02 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An uncontrolled format string vulnerability has been discovered in udisks when it mounts a filesystem with a malformed label. A local attacker may use this flaw to leak memory, make the udisks service crash, or cause other unspecified effects.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pedro Sampaio 2018-09-25 11:53:03 EDT

UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n substrings.

Upstream issue:

https://github.com/storaged-project/udisks/issues/578

Upstream patch:

https://github.com/pothos/udisks/commit/e369a9b4b08e9373c814c05328b366c938284eb5

Comment 1 Pedro Sampaio 2018-09-25 11:53:43 EDT

Created udisks tracking bugs for this issue:

Affects: fedora-all [bug 1632829]


Created udisks2 tracking bugs for this issue:

Affects: fedora-all [bug 1632830]

Comment 6 Riccardo Schirone 2018-10-09 04:27:07 EDT

For the attack to be successful, an attacker should have physical access to the machine and be able to insert a USB device with a malformed filesystem and wait until udisks2 automount it. This usually happen automatically for a USB device when the user uses a graphical environment (e.g. GNOME). Otherwise, the attack may still be performed if an attacker already has high privileges that allow him to mount devices with udisksctl.

Comment 7 Riccardo Schirone 2018-10-09 05:06:15 EDT

On RHEL the udisks2 packages are compiled with FORTIFY_SOURCE=2, which makes these kind of attacks less dangerous because the classic '%n' is blocked, if the format string is in a writable segment as in this case. This however does not prevent information leaks or crashes.

Note You need to log in before you can comment on or make changes to this bug.