Ubuntu
eject package

dmcrypt-get-device does not check the return values of setuid() or setgid()

Bug #1673627 reported by Tyler Hicks on 2017-03-16

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	eject (Ubuntu)	Fix Released	High	Tyler Hicks

Bug Description

Ilja Van Sprundel discovered that dmcrypt-get-device does not properly handle errors returned from setuid()/setgid() despite being a setuid-root binary. Although it looks to be handling trustworthy input from the kernel after the setuid()/setgid() calls, the intent is to be parsing the data as a non-root user.

Here's the original report:

I noticed that dmcrypt-get-device is suid root. it's source code is apparently written at ubuntu (according to the comments)
The code for which I found at http://archive.ubuntu.com/ubuntu/pool/main/e/eject/eject_2.1.5+deb1+cvs20081104-13.1.diff.gz

which has the following comments:
* Opening /dev/mapper/control requires root privileges, therefore this
* program needs to be installed setuid root. Root privileges are dropped
* immediately after querying the information from the device mapper. The
* parsing is done with normal user privileges afterwards.

The priv dropping happens in dmcrypt-get-device.c and looks as follows:

    /* Drop all privileges */
    setgid(getgid());
    setuid(getuid());

This unfortunately doesn't account for a failed call to setuid(), which would then perform the parsing as root.
You'll probably want to fix both the call to setgid() and setuid() with proper return value checks.

CVE References

2017-6964

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-03-17:

This has been assigned CVE-2017-6964

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-03-23:

CVE-2017-6964.patch Edit (766 bytes, text/plain)

I'm attaching a fix for this issue. I've notified Debian of the issue and provided them with the patch. I'm waiting to hear if they're interested in an embargo period to fix the issue at the same time as Ubuntu.

Changed in eject (Ubuntu):
status:	Triaged → In Progress
assignee:	nobody → Tyler Hicks (tyhicks)

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-03-27:

Debian wasn't interested in an embargo. I'm now making this bug public and will be releasing security updates shortly.

information type:

Private Security → Public Security

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-03-27:

Stable Ubuntu releases have been fixed:

https://www.ubuntu.com/usn/usn-3246-1/

This bug will get auto-closed when my upload to Zesty lands.

Changed in eject (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-03-28:

This bug was fixed in the package eject - 2.1.5+deb1+cvs20081104-13.1ubuntu1

---------------
eject (2.1.5+deb1+cvs20081104-13.1ubuntu1) zesty; urgency=medium

  * SECURITY UPDATE: Improper check for dropped privileges (LP: #1673627)
    - dmcrypt-get-device.c: Ensure that setgid() and setuid() were successful
      before continuing
    - CVE-2017-6964

-- Tyler Hicks <email address hidden> Mon, 27 Mar 2017 21:21:46 +0000

Changed in eject (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

Andreas Henriksson (andreas-fatal) wrote on 2017-03-28:

Hi Tyler Hicks.

There's been discussions about moving over to util-linux eject on the Debian side in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737658

Is there anything that still uses dmcrypt-get-device as shipped as a not-from-upstream addition in the current eject package? codesearch.debian.net can't find anything. Can't we just drop the dmcrypt-get-device.c addition now? Do you know?

Regards,
Andreas Henriksson