Ubuntu
udisks package

publicly exports dm key information

Bug #556651 reported by Martin Pitt on 2010-04-06

258

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
udisks	Fix Released	High	freedesktop-bugs #27494
devicekit-disks (Ubuntu)	Invalid	Undecided	Unassigned
Karmic	Invalid	High	Unassigned
Lucid	Invalid	Undecided	Unassigned
udisks (Debian)	Fix Released	Unknown	debbugs #576687
udisks (Ubuntu)	Fix Released	High	Martin Pitt	Ubuntu ubuntu-10.04
Karmic	Invalid	Undecided	Unassigned
Lucid	Fix Released	High	Martin Pitt	Ubuntu ubuntu-10.04

Bug Description

Binary package hint: udisks

udisks exports the device-mapper table data to udev. This data includes encryption keys.

| E:UDISKS_DM_TARGETS_COUNT=1
| E:UDISKS_DM_TARGETS_TYPE=crypt
| E:UDISKS_DM_TARGETS_START=0
| E:UDISKS_DM_TARGETS_LENGTH=1467585
| E:UDISKS_DM_TARGETS_PARAMS=aes-cbc-essiv:sha256\x20XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x200\x208:5\x200

UDISKS_DM_TARGETS_PARAMS includes the complete table entry, in case of the crypt target this includes the key and iv type.

See original description

Related branches

lp:ubuntu/lucid/udisks

CVE References

2010-1149

Revision history for this message

In freedesktop.org Bugzilla #27494, Martin Pitt (pitti) wrote on 2010-04-06:

I committed a test for this, which fails right now:

http://cgit.freedesktop.org/udisks/commit/?id=4670d2edfb615af94bd9d82d8fd12b7cf8d23b9d

======================================================================
FAIL: LUKS create/teardown
----------------------------------------------------------------------
Traceback (most recent call last):
File "tests/run", line 735, in test_0_create_teardown
self.failIf('essiv:sha' in out, 'key information in udev properties')
AssertionError: key information in udev properties

Revision history for this message

In freedesktop.org Bugzilla #27494, Zeuthen (zeuthen) wrote on 2010-04-06:

(In reply to comment #0)
> So we should drop the key information for UDISKS_DM_TARGETS_TYPE == "crypt" or
> only explicitly set major/minor/offset, and/or not set UDISKS_DM_TARGETS_TYPE
> for anything != "linear".

How about just keeping it for linear mappings for the time being? In the future we can keep it for other device mapper targets as well - for example, we want this data for multipath in order to display state about each path etc. etc. etc.

Revision history for this message

In freedesktop.org Bugzilla #27494, Martin Pitt (pitti) wrote on 2010-04-06:

Before I go and touch any code, I added a new test case which exercises this code path by ensuring that DM partitions (kpartx'ed on a LV) have a correct PartitionSlave property (it involves parsing UDISKS_DM_TARGETS_PARAMS and various DM_* properties). When I disable the UDISKS_DM_TARGETS_PARAMS reading in udisks-part-id, this test case fails.

Revision history for this message

In freedesktop.org Bugzilla #27494, Martin Pitt (pitti) wrote on 2010-04-06:

(In reply to comment #2)
> How about just keeping it for linear mappings for the time being?

Works for me. Now that I have test cases for both ends, I'll work on that tomorrow (bedtime now).

Thanks!

Revision history for this message

Martin Pitt (pitti) wrote on 2010-04-06:

Binary package hint: udisks

udisks exports the device-mapper table data to udev. This data includes encryption keys.

UDISKS_DM_TARGETS_PARAMS includes the complete table entry, in case of the crypt target this includes the key and iv type.

security vulnerability:	no → yes
Changed in udisks (Ubuntu):
assignee:	nobody → Martin Pitt (pitti)
importance:	Undecided → High
milestone:	none → ubuntu-10.04
status:	New → In Progress

Revision history for this message

Martin Pitt (pitti) wrote on 2010-04-06:

udisks only needs UDISKS_DM_TARGETS_PARAMS for UDISKS_DM_TARGETS_TYPE == "linear", and is only interested in the major/minor of the device and the offset.

So we should drop the key information for UDISKS_DM_TARGETS_TYPE == "crypt" or only explicitly set major/minor/offset, and/or not set UDISKS_DM_TARGETS_TYPE for anything != "linear".

Bug Watch Updater (bug-watch-updater) on 2010-04-06

Changed in udisks (Debian):
status:	Unknown → New

Revision history for this message

In freedesktop.org Bugzilla #27494, Martin Pitt (pitti) wrote on 2010-04-06:

http://cgit.freedesktop.org/udisks/commit/?id=0fcc7cb3b66f23fac53ae08647aa0007a2bd56c4

Revision history for this message

Martin Pitt (pitti) wrote on 2010-04-07:

I fixed this upstream in http://cgit.freedesktop.org/udisks/commit/?id=0fcc7cb3b66f23fac53ae08647aa0007a2bd56c4

Changed in udisks (Ubuntu Lucid):
status:	In Progress → Fix Committed

Revision history for this message

In freedesktop.org Bugzilla #27494, Martin Pitt (pitti) wrote on 2010-04-07:

David, I think it's worth pushing out an 1.0.1 with this fix (I also made a couple of other fixes in trunk). Or do you want to wait for the CVE to arrive? (Someone requested one, as far as I understood from #udev).

Revision history for this message

Martin Pitt (pitti) wrote on 2010-04-07:

#10

Upstream said someone already requested a CVE for this.

Changed in udisks (Ubuntu Karmic):
status:	New → Invalid
Changed in devicekit-disks (Ubuntu Lucid):
status:	New → Invalid

Revision history for this message

Martin Pitt (pitti) wrote on 2010-04-07:

#11

This also affects devicekit-disks in karmic. Earlier Ubuntu releases used hal and did not have {u,dk}-disks yet.

Changed in devicekit-disks (Ubuntu Karmic):
assignee:	nobody → Martin Pitt (pitti)
importance:	Undecided → High
status:	New → In Progress

Revision history for this message

Martin Pitt (pitti) wrote on 2010-04-07:

#12

Ah, *phew*, I checked karmic, and its dk-disks version is old enough to not yet export TARGETS_PARAMS at all. ./src/devkit-disks-dm-export.c just entirely ignores the "params" return value.

Changed in devicekit-disks (Ubuntu Karmic):
assignee:	Martin Pitt (pitti) → nobody
status:	In Progress → Invalid

Revision history for this message

Martin Pitt (pitti) wrote on 2010-04-07:

#13

$ sudo src/devkit-disks-dm-export 252 0
DKD_DM_NAME=udisks-luks-uuid-fb577f21-6a7e-4891-84d6-dc369073ac34-uid1000
DKD_DM_UUID=CRYPT-LUKS1-fb577f216a7e489184d6dc369073ac34-udisks-luks-uuid-fb577f21-6a7e-4891-84d6-dc369073ac34-uid1000
DKD_DM_STATE=ACTIVE
DKD_DM_TABLE_STATE=LIVE
DKD_DM_OPENCOUNT=1
DKD_DM_LAST_EVENT_NR=0
DKD_DM_MAJOR=252
DKD_DM_MINOR=0
DKD_DM_TARGET_COUNT=1
DKD_DM_TARGET_TYPES=crypt

Bug Watch Updater (bug-watch-updater) on 2010-04-07

Changed in udisks (Debian):
status:	New → Confirmed

Revision history for this message

In freedesktop.org Bugzilla #27494, Kurt-seifried (kurt-seifried) wrote on 2010-04-07:

#14

From: Josh Bressers 4/7/10 7:08 PM
Re: [oss-security] CVE Request -- udisks v1.0.0 -- (serious)information disclosure
Please use CVE-2010-1149 for this.
Thanks.
--
JB

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-04-09:

#15

This bug was fixed in the package udisks - 1.0.1-1

---------------
udisks (1.0.1-1) unstable; urgency=high

Urgency high because of security bug fix.

  [ Michael Biebl ]
  * Build against parted 2.2. (Closes: #574908)
  * debian/control
    - Add dependency on dbus.

  [ Martin Pitt ]
  * New upstream bug fix release:
    - umount.udisks: Exit with return code 0 if the unmount succeeded.
      (LP: #541740)
    - Allow other rules (such as media-player-info) to set a more specific
      presentation icon.
    - Set multimedia-player-ipod icon for iPod media players. (LP: #540235)
    - Stop exporting DM key information. (Closes: #576687, LP: #556651,
      CVE-2010-1149)
    - Fix DM partition table detection.
    - job-drive-benchmark.c: Fix data types in error messages. (LP: #527202)
    - Hide Sony E-Book launcher partition. (LP: #546924)
    - Various test suite improvements.
-- Martin Pitt <email address hidden> Fri, 09 Apr 2010 18:19:18 +0200

Changed in udisks (Ubuntu Lucid):
status:	Fix Committed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2010-04-09

Changed in udisks (Debian):
status:	Confirmed → Fix Released

Revision history for this message

Lucien Demeuse (lucien-demeuse) wrote on 2010-06-21:

#16

Be careful : with the new update of udisks version 1.0.1-1ubuntu it is impossible to read an internal or usb floppy. The solution is to downgrade udisks to 1.0.1-build1 as I explain here in detail :

http://users.skynet.be/linux-rixensart/1_suite.html#floppy

Lucien

Bug Watch Updater (bug-watch-updater) on 2010-09-14

Changed in udisks:
importance:	Unknown → High
status:	Unknown → Fix Released

Bug Watch Updater (bug-watch-updater) on 2011-01-25

Changed in udisks:
importance:	High → Unknown

Bug Watch Updater (bug-watch-updater) on 2011-02-03

Changed in udisks:
importance:	Unknown → High

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #576687
[done critical upstream confirmed security fixed-upstream] Edit
freedesktop-bugs #27494
[RESOLVED FIXED] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuudisks package

publicly exports dm key information

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
udisks package