dmcrypt-get-device does not check the return values of setuid() or setgid()

Bug #1673627 reported by Tyler Hicks
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eject (Ubuntu)
Fix Released
High
Tyler Hicks

Bug Description

Ilja Van Sprundel discovered that dmcrypt-get-device does not properly handle errors returned from setuid()/setgid() despite being a setuid-root binary. Although it looks to be handling trustworthy input from the kernel after the setuid()/setgid() calls, the intent is to be parsing the data as a non-root user.

Here's the original report:

I noticed that dmcrypt-get-device is suid root. it's source code is apparently written at ubuntu (according to the comments)
The code for which I found at http://archive.ubuntu.com/ubuntu/pool/main/e/eject/eject_2.1.5+deb1+cvs20081104-13.1.diff.gz

which has the following comments:
* Opening /dev/mapper/control requires root privileges, therefore this
* program needs to be installed setuid root. Root privileges are dropped
* immediately after querying the information from the device mapper. The
* parsing is done with normal user privileges afterwards.

The priv dropping happens in dmcrypt-get-device.c and looks as follows:

    /* Drop all privileges */
    setgid(getgid());
    setuid(getuid());

This unfortunately doesn't account for a failed call to setuid(), which would then perform the parsing as root.
You'll probably want to fix both the call to setgid() and setuid() with proper return value checks.

CVE References

Revision history for this message
Tyler Hicks (tyhicks) wrote :

This has been assigned CVE-2017-6964

Revision history for this message
Tyler Hicks (tyhicks) wrote :

I'm attaching a fix for this issue. I've notified Debian of the issue and provided them with the patch. I'm waiting to hear if they're interested in an embargo period to fix the issue at the same time as Ubuntu.

Changed in eject (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Tyler Hicks (tyhicks)
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Debian wasn't interested in an embargo. I'm now making this bug public and will be releasing security updates shortly.

information type: Private Security → Public Security
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Stable Ubuntu releases have been fixed:

  https://www.ubuntu.com/usn/usn-3246-1/

This bug will get auto-closed when my upload to Zesty lands.

Changed in eject (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eject - 2.1.5+deb1+cvs20081104-13.1ubuntu1

---------------
eject (2.1.5+deb1+cvs20081104-13.1ubuntu1) zesty; urgency=medium

  * SECURITY UPDATE: Improper check for dropped privileges (LP: #1673627)
    - dmcrypt-get-device.c: Ensure that setgid() and setuid() were successful
      before continuing
    - CVE-2017-6964

 -- Tyler Hicks <email address hidden> Mon, 27 Mar 2017 21:21:46 +0000

Changed in eject (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Andreas Henriksson (andreas-fatal) wrote :

Hi Tyler Hicks.

There's been discussions about moving over to util-linux eject on the Debian side in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737658

Is there anything that still uses dmcrypt-get-device as shipped as a not-from-upstream addition in the current eject package? codesearch.debian.net can't find anything. Can't we just drop the dmcrypt-get-device.c addition now? Do you know?

Regards,
Andreas Henriksson

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.