2238716 – (CVE-2020-21583) CVE-2020-21583 util-linux: arbitrary commands execution via the path parameter

Bug 2238716 (CVE-2020-21583) - CVE-2020-21583 util-linux: arbitrary commands execution via the path parameter

Summary: CVE-2020-21583 util-linux: arbitrary commands execution via the path parameter

Keywords:
Status:	NEW
Alias:	CVE-2020-21583
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2238718
TreeView+	depends on / blocked

Reported:	2023-09-13 10:25 UTC by msiddiqu
Modified:	2025-01-03 08:27 UTC (History)
CC List:	33 users (show)
Fixed In Version:	util-linux 2.27-rc1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description msiddiqu 2023-09-13 10:25:50 UTC

An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date.

Comment 1 msiddiqu 2023-09-13 10:28:38 UTC

References: 
 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786804
https://packetstormsecurity.com/files/132061/hwclock-Privilege-Escalation.html

Comment 2 msiddiqu 2023-09-13 11:02:47 UTC

Upstream Patch:

https://github.com/util-linux/util-linux/commit/687cc5d58942b24a9f4013c68876d8cbea907ab1

Note You need to log in before you can comment on or make changes to this bug.

aarif
adudiak
agarcial
aoconnor
aprice
asegurap
bdettelb
caswilli
dfreiber
dkuc
drow
fjansen
hkataria
jburrell
jmitchel
jsamir
jsherril
jtanner
kaycoth
kshier
luizcosta
mpierce
nweather
omaciel
orabin
psegedy
stcannon
sthirugn
tsasak
vkrizan
vkumar
vmugicag
yguenane