UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n substrings. Upstream issue: https://github.com/storaged-project/udisks/issues/578 Upstream patch: https://github.com/pothos/udisks/commit/e369a9b4b08e9373c814c05328b366c938284eb5
Created udisks tracking bugs for this issue: Affects: fedora-all [bug 1632829] Created udisks2 tracking bugs for this issue: Affects: fedora-all [bug 1632830]
For the attack to be successful, an attacker should have physical access to the machine and be able to insert a USB device with a malformed filesystem and wait until udisks2 automount it. This usually happen automatically for a USB device when the user uses a graphical environment (e.g. GNOME). Otherwise, the attack may still be performed if an attacker already has high privileges that allow him to mount devices with udisksctl.
On RHEL the udisks2 packages are compiled with FORTIFY_SOURCE=2, which makes these kind of attacks less dangerous because the classic '%n' is blocked, if the format string is in a writable segment as in this case. This however does not prevent information leaks or crashes.
Hello I see the bug have added to errata[1], Could you please update the bug to ONQA and update "Fixed In Version" [1]https://errata.devel.redhat.com/advisory/43919 thanks guazhang
This is a tracker bug created by the security team, I don't think we should be changing this one. I think this bug was not supposed to be added to the advisory.
(In reply to Vojtech Trefny from comment #10) > This is a tracker bug created by the security team, I don't think we should > be changing this one. I think this bug was not supposed to be added to the > advisory. The bug was dropped from the Errata. No need to change now.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2178 https://access.redhat.com/errata/RHSA-2019:2178
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-17336