Users with access to umount a filesystem could use the -r flag to get rid of filesystem options such as 'nosuid', leading to root access. See CAN-2005-2876, and/or bugtraq post: http://marc.theaimsgroup.com/?l=bugtraq&m=112656096125857&w=2 This affects all legacy distributions.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've created packages for RH7.3, RH9, FC1 and FC2. I had to modify the patches from RHEL, but the only change is the line number which was different in the different versions. Also, I added BuildRequires: texinfo to the 7.3, 9, and FC1 packages, the FC2 package had it already. I was having some problems building these under mock, and I'm not sure why. They build fine on real legacy systems, so I'm still looking into that. It seems that the test for ARCH in the sys-utils sub directory is skipping the builds of rdev, etc. in mock. Packages are here: http://www.cs.ucsb.edu/~jeff/legacy/util-linux/ 7.3 b08322495a1a808fccf02e64145a653997b25202 util-linux-2.11n-12.7.3.1.legacy.src.rpm 9 bd438f8ba2de163ff1f8a18e4533283a09cce132 util-linux-2.11y-9.1.legacy.src.rpm FC1 7ade9dddd4197679198b6f8cd2a31d7689057072 util-linux-2.11y-29.1.legacy.src.rpm FC2 ae9f4ff168014823e6e1c3ce119ef2fa7d387d5b util-linux-2.12-18.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDTGYDKe7MLJjUbNMRAlPyAKDJmpIVnK/+9vT1cu2tPXomrTm7LACfSmdb kWOrLiHxTEh6lcmBF/BdyO0= =/Hs9 -----END PGP SIGNATURE-----
It appears the following were never fixed: CVE-2004-0080 Description: The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data. Maybe we should re-spin to address that as well? I can do publishes.
Pekka, it looks like the 7.3 and newer packages are not vulnerable to CVE-2004-0080, see old bugzilla discussion: http://bugzilla.fedora.us/show_bug.cgi?id=1256
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ build-compare.sh - source integrity good - spec file changes minimal - patches verified to come from RHEL Yes, it appears that the CAN-2004 should have been addressed already. I noted that FC2 util-linux has been made against 2.12-18, but 2.12-19 did appear on FC2 updates; could you re-spin that? +PUBLISH RHL73, RHL9, FC1 b08322495a1a808fccf02e64145a653997b25202 util-linux-2.11n-12.7.3.1.legacy.src.rpm 7ade9dddd4197679198b6f8cd2a31d7689057072 util-linux-2.11y-29.1.legacy.src.rpm bd438f8ba2de163ff1f8a18e4533283a09cce132 util-linux-2.11y-9.1.legacy.src.rpm ae9f4ff168014823e6e1c3ce119ef2fa7d387d5b util-linux-2.12-18.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDeMTyGHbTkzxSL7QRAiPmAJ46RxlSPAhlggQYRQD1KgjKwxYF8ACg1ZWA JmcT1J5tQQtYUNQBZbk42u4= =bq4l -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for catching that! Not sure how I grabbed the wrong package. Anyway, here's an updated package for FC2: http://www.cs.ucsb.edu/~jeff/legacy/util-linux/util-linux-2.12-19.1.legacy.src.rpm 0f33ae7e9f36b64205151d7559840ded6dbc57ed util-linux-2.12-19.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDeb6/Ke7MLJjUbNMRAuJ+AJ0TrFwk9xUsL7A8Odpuxo/L24auEwCfYGBY 23BwvcSMuDkVFeLt2x2t0Rk= =LbYs -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for FC2; the same checks as above, this version is good. +PUBLISH FC2 0f33ae7e9f36b64205151d7559840ded6dbc57ed util-linux-2.12-19.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDete7GHbTkzxSL7QRAnyAAJ9yQN7+kd0ZCULxkv/GMCiLlsKBfQCgjBzy S+Y+DdHmjO+hG9/RDRY7wPI= =+b/T -----END PGP SIGNATURE-----
Packages were pushed to updates-testing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 9 Downloaded packages: 969d19231dc24415f7d761539b59ba772c716a36 losetup-2.11y-9.2.legacy.i386.rpm cbe71d4ed7c39c0ed186a548c194c44e3328595b mount-2.11y-9.2.legacy.i386.rpm 926ae6d1c9f6d5309ab24c712cbe2a3ec97bba1c util-linux-2.11y-9.2.legacy.i386.rpm First, I verified the mount bug before installing the packages (it worked, I was able to umount -r a filesystem to remove restrictions). Next I installed the above packages. No problems in installation. No problems seen after installation. Tried to reproduce the umount -r bug and could not longer do it. Vote for release for RHL 9 ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDf9+k4jZRbknHoPIRAhqmAJ9uqF/QXOd3g/KcRDcTUGsLPnwQQgCgmi0O ny954lqA1o9xsWl2sD54ccM= =F10u -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73: - gpg signature OK - rpm-build-compare on binaries looks good - as eric, I tested the vulnerability before upgrade and after upgrade, and it seemed to work fine. +VERIFY RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDiB6CGHbTkzxSL7QRAtSWAKDJe3Ijz0VcU+Acm0iPO1bKL7u5cQCePVlM 4o7eoQepJoK2jBMZqhgKq9w= =0/GL -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY RH73 No noticable issues or problems after 2 weeks on production systems. 0c671214cb28d21b71917d04e4cdce3240515b45 losetup-2.11n-12.7.3.2.legacy.i386.rpm 437139c00fbc4109ea3cd66b88a778a023d07298 mount-2.11n-12.7.3.2.legacy.i386.rpm e39b80b435a545f87878cb2d4f6e89d89ec2c88f util-linux-2.11n-12.7.3.2.legacy.i386.rpm - -Jim P. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD4DBQFDk6yuCgSTzgd8+fwRAopDAJYwXChPGJRkl4HE+D/TZoLhIDipAJ4hlAmB R0HPU6lqVIjDcpfqC18k1Q== =WgDL -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for FC1 util-linux packages. f1b2f60ee7b5fb3149ab3b36133c930c6eecb788 util-linux-2.11y-29.2.legacy.i386.rpm 881c066cf8ec3aa25450a7e8db2f43e55faaef40 mount-2.11y-29.2.legacy.i386.rpm 501380711d59e946f1dab5a40b0906525393d766 losetup-2.11y-29.2.legacy.i386.rpm * sha1sums compare well; properly signed with Fedora Legacy key * rpm-build-compare of all 3 packages looks reasonable * Installed fine. * umount -r can no longer be used by an unprivileged user, closing the potential privilege escalation vulnerability. * Have done various mountings, losetup, pivotroot at boot, etc. All seem to work well. VERIFY++ FC1 util-linux-, mount-, & losetup-2.11y-29.2.legacy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDlMP+xou1V/j9XZwRAitHAJ9sDijMyz0mFhoQYn42xPK5nwdozACgjLhe 4KsU5HIDoBy/woQkiyC0kHg= =NPod -----END PGP SIGNATURE-----
Packages were released.