Bug 168326 - CAN-2005-2876 umount unsafe -r usage
CAN-2005-2876 umount unsafe -r usage
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: util-linux (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
rh73, rh9, 1, 2, LEGACY
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-14 19:59 EDT by Jeff Sheltren
Modified: 2007-04-18 13:31 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-18 00:05:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Sheltren 2005-09-14 19:59:52 EDT
Users with access to umount a filesystem could use the -r flag to get rid of
filesystem options such as 'nosuid', leading to root access.

See CAN-2005-2876, and/or bugtraq post:
http://marc.theaimsgroup.com/?l=bugtraq&m=112656096125857&w=2

This affects all legacy distributions.
Comment 1 Jeff Sheltren 2005-10-11 21:24:06 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've created packages for RH7.3, RH9, FC1 and FC2.  I had to modify the patches
from RHEL, but the only change is the line number which was different in
the different versions.

Also, I added BuildRequires: texinfo to the 7.3, 9, and FC1 packages,
the FC2 package had it already.

I was having some problems building these under mock, and I'm not sure why.
They build fine on real legacy systems, so I'm still looking into that.
It seems that the test for ARCH in the sys-utils sub directory is skipping
the builds of rdev, etc. in mock.

Packages are here:
http://www.cs.ucsb.edu/~jeff/legacy/util-linux/

7.3
b08322495a1a808fccf02e64145a653997b25202  util-linux-2.11n-12.7.3.1.legacy.src.rpm
9
bd438f8ba2de163ff1f8a18e4533283a09cce132  util-linux-2.11y-9.1.legacy.src.rpm
FC1
7ade9dddd4197679198b6f8cd2a31d7689057072  util-linux-2.11y-29.1.legacy.src.rpm
FC2
ae9f4ff168014823e6e1c3ce119ef2fa7d387d5b  util-linux-2.12-18.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDTGYDKe7MLJjUbNMRAlPyAKDJmpIVnK/+9vT1cu2tPXomrTm7LACfSmdb
kWOrLiHxTEh6lcmBF/BdyO0=
=/Hs9
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2005-11-13 12:39:53 EST
It appears the following were never fixed:

CVE-2004-0080
Description: The login program in util-linux 2.11 and earlier uses a pointer
after it has been freed and reallocated, which could cause login to leak
sensitive data.  

Maybe we should re-spin to address that as well?  I can do publishes.
Comment 3 Jeff Sheltren 2005-11-14 11:18:31 EST
Pekka, it looks like the 7.3 and newer packages are not vulnerable to
CVE-2004-0080, see old bugzilla discussion:
http://bugzilla.fedora.us/show_bug.cgi?id=1256
Comment 4 Pekka Savola 2005-11-15 05:07:39 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ build-compare.sh
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHEL
 
Yes, it appears that the CAN-2004 should have been addressed already.
 
I noted that FC2 util-linux has been made against 2.12-18, but 2.12-19 did
appear on FC2 updates; could you re-spin that?
 
+PUBLISH RHL73, RHL9, FC1
 
b08322495a1a808fccf02e64145a653997b25202  util-linux-2.11n-12.7.3.1.legacy.src.rpm
7ade9dddd4197679198b6f8cd2a31d7689057072  util-linux-2.11y-29.1.legacy.src.rpm
bd438f8ba2de163ff1f8a18e4533283a09cce132  util-linux-2.11y-9.1.legacy.src.rpm
ae9f4ff168014823e6e1c3ce119ef2fa7d387d5b  util-linux-2.12-18.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDeMTyGHbTkzxSL7QRAiPmAJ46RxlSPAhlggQYRQD1KgjKwxYF8ACg1ZWA
JmcT1J5tQQtYUNQBZbk42u4=
=bq4l
-----END PGP SIGNATURE-----
Comment 5 Jeff Sheltren 2005-11-15 05:55:06 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for catching that!  Not sure how I grabbed the wrong package.

Anyway, here's an updated package for FC2:

http://www.cs.ucsb.edu/~jeff/legacy/util-linux/util-linux-2.12-19.1.legacy.src.rpm

0f33ae7e9f36b64205151d7559840ded6dbc57ed  util-linux-2.12-19.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDeb6/Ke7MLJjUbNMRAuJ+AJ0TrFwk9xUsL7A8Odpuxo/L24auEwCfYGBY
23BwvcSMuDkVFeLt2x2t0Rk=
=LbYs
-----END PGP SIGNATURE-----
Comment 6 Pekka Savola 2005-11-16 01:52:16 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for FC2; the same checks as above, this version is good.
 
+PUBLISH FC2
 
0f33ae7e9f36b64205151d7559840ded6dbc57ed  util-linux-2.12-19.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDete7GHbTkzxSL7QRAnyAAJ9yQN7+kd0ZCULxkv/GMCiLlsKBfQCgjBzy
S+Y+DdHmjO+hG9/RDRY7wPI=
=+b/T
-----END PGP SIGNATURE-----
Comment 7 Marc Deslauriers 2005-11-19 11:00:21 EST
Packages were pushed to updates-testing
Comment 8 Eric Jon Rostetter 2005-11-19 21:40:12 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 9
 
Downloaded packages:
 
969d19231dc24415f7d761539b59ba772c716a36  losetup-2.11y-9.2.legacy.i386.rpm
cbe71d4ed7c39c0ed186a548c194c44e3328595b  mount-2.11y-9.2.legacy.i386.rpm
926ae6d1c9f6d5309ab24c712cbe2a3ec97bba1c  util-linux-2.11y-9.2.legacy.i386.rpm
 
First, I verified the mount bug before installing the packages (it worked,
I was able to umount -r a filesystem to remove restrictions).
 
Next I installed the above packages.  No problems in installation.  No
problems seen after installation.  Tried to reproduce the umount -r bug
and could not longer do it.
 
Vote for release for RHL 9  ++VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDf9+k4jZRbknHoPIRAhqmAJ9uqF/QXOd3g/KcRDcTUGsLPnwQQgCgmi0O
ny954lqA1o9xsWl2sD54ccM=
=F10u
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2005-11-26 03:33:45 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL73:
 - gpg signature OK
 - rpm-build-compare on binaries looks good
 - as eric, I tested the vulnerability before upgrade
   and after upgrade, and it seemed to work fine.

+VERIFY RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDiB6CGHbTkzxSL7QRAtSWAKDJe3Ijz0VcU+Acm0iPO1bKL7u5cQCePVlM
4o7eoQepJoK2jBMZqhgKq9w=
=0/GL
-----END PGP SIGNATURE-----
Comment 10 Jim Popovitch 2005-12-04 21:55:07 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RH73

No noticable issues or problems after 2 weeks on production systems.

0c671214cb28d21b71917d04e4cdce3240515b45  losetup-2.11n-12.7.3.2.legacy.i386.rpm
437139c00fbc4109ea3cd66b88a778a023d07298  mount-2.11n-12.7.3.2.legacy.i386.rpm
e39b80b435a545f87878cb2d4f6e89d89ec2c88f  util-linux-2.11n-12.7.3.2.legacy.i386.rpm

- -Jim P.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD4DBQFDk6yuCgSTzgd8+fwRAopDAJYwXChPGJRkl4HE+D/TZoLhIDipAJ4hlAmB
R0HPU6lqVIjDcpfqC18k1Q==
=WgDL
-----END PGP SIGNATURE-----
Comment 11 David Eisenstein 2005-12-05 17:47:29 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for FC1 util-linux packages.

f1b2f60ee7b5fb3149ab3b36133c930c6eecb788  util-linux-2.11y-29.2.legacy.i386.rpm
881c066cf8ec3aa25450a7e8db2f43e55faaef40  mount-2.11y-29.2.legacy.i386.rpm
501380711d59e946f1dab5a40b0906525393d766  losetup-2.11y-29.2.legacy.i386.rpm

  * sha1sums compare well; properly signed with Fedora Legacy key
  * rpm-build-compare of all 3 packages looks reasonable
  * Installed fine.
  * umount -r can no longer be used by an unprivileged user, closing the
    potential privilege escalation vulnerability.
  * Have done various mountings, losetup, pivotroot at boot, etc.  All seem
    to work well.

   VERIFY++ FC1 util-linux-, mount-, & losetup-2.11y-29.2.legacy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDlMP+xou1V/j9XZwRAitHAJ9sDijMyz0mFhoQYn42xPK5nwdozACgjLhe
4KsU5HIDoBy/woQkiyC0kHg=
=NPod
-----END PGP SIGNATURE-----
Comment 12 Marc Deslauriers 2005-12-18 00:05:44 EST
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.