1172549 – (CVE-2014-7208) CVE-2014-7208 gparted: unsafe OS command execution

Bug 1172549 (CVE-2014-7208) - CVE-2014-7208 gparted: unsafe OS command execution

Summary: CVE-2014-7208 gparted: unsafe OS command execution

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2014-7208
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1133315 1171909
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-10 11:06 UTC by Vasyl Kaigorodov
Modified:	2021-02-17 05:54 UTC (History)
CC List:	5 users (show)
Fixed In Version:	GParted 0.15.0
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-01-20 14:48:48 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vasyl Kaigorodov 2014-12-10 11:06:43 UTC

Gparted <=0.14.1 does not properly sanitize strings before passing
them as parameters to an OS command.  Those commands are executed
using root privileges.

Parameters that are being used for OS commands in GParted are normally 
determined by the user (e.g. disk labels, mount points). 
However, under certain circumstances, an attacker can use an external 
storage to inject command parameters.  These circumstances are met if 
for example an automounter uses a file system label as part of the mount
path.

Comment 2 Vincent Danen 2015-01-20 14:48:48 UTC

Both Fedora and EPEL currently provide GParted >= 0.18.0 and are as such unaffected.


External References:

http://gparted.org/news.php?item=184

Note You need to log in before you can comment on or make changes to this bug.