buffer overflow with long path names

Bug #1288226 reported by Martin Pitt on 2014-03-05
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
udisks (Ubuntu)
Medium
Martin Pitt
Lucid
Undecided
Unassigned
Precise
Undecided
Marc Deslauriers
Quantal
Undecided
Marc Deslauriers
Saucy
Undecided
Marc Deslauriers
Trusty
Medium
Martin Pitt
udisks2 (Ubuntu)
Medium
Martin Pitt
Quantal
Undecided
Marc Deslauriers
Saucy
Undecided
Marc Deslauriers
Trusty
Medium
Martin Pitt

Bug Description

EMBARGOED until 2014-03-10
PUBLISHED now: http://lists.freedesktop.org/archives/devkit-devel/2014-March/001568.html

Florian Weimer of the Red Hat Product Security Team found a flaw in the way udisks and udisks2 handled long path names. A malicious, local user could use this flaw to create a specially-crafted directory structure that could lead to arbitrary code execution with the privileges of the udisks daemon (root).

Huzaifa Sidhpurwala created a proposed patch. I don't like the changing from PATH_MAX to 4096, but it looks good otherwise.

I'll handle the upstream bits, Debian and Ubuntu trusty updates and discuss the PATH_MAX issue.

Upstream fix for udisks 2: http://cgit.freedesktop.org/udisks/commit/?id=244967
Upstream fix for udisks 1: http://cgit.freedesktop.org/udisks/commit/?h=udisks1&id=ebf61ed8471

Debian stable updates debdiffs: http://people.debian.org/~mpitt/tmp/udisks-CVE-2014-0004/

Martin Pitt (pitti) wrote :
no longer affects: udisks2 (Ubuntu Lucid)
no longer affects: udisks2 (Ubuntu Precise)
Changed in udisks2 (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in udisks2 (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in udisks (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in udisks (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in udisks (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in udisks (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in udisks (Ubuntu Lucid):
assignee: Marc Deslauriers (mdeslaur) → nobody
status: New → Won't Fix
Martin Pitt (pitti) wrote :

I changed the original patch to use PATH_MAX again, and send it back to Florian and Huzaifa . This is the patch which I'm going to commit upstream on March 10.

Martin Pitt (pitti) wrote :

This is the backported patch for udisks 1.

Changed in udisks (Ubuntu Trusty):
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → Low
status: New → In Progress
Changed in udisks2 (Ubuntu Trusty):
assignee: nobody → Martin Pitt (pitti)
status: New → In Progress
Martin Pitt (pitti) wrote :

Fixed udisks2 patch (sscanf writes at most one byte more than specified).

Martin Pitt (pitti) wrote :

This is public now. I removed the attached patches; they were valid, but had a wrong attribution (the original patch was from David Zeuthen). I put links to the official upstream patches into the description.

description: updated
information type: Private Security → Public Security
Martin Pitt (pitti) wrote :

udisks 2.1.3-1 uploaded to Debian sid. I'll sync it once it gets imported into LP.

Changed in udisks2 (Ubuntu Trusty):
importance: Low → Medium
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

udisks 1.0.5-1 uploaded to sid, will sync to trusty ASAP.

Changed in udisks (Ubuntu Trusty):
importance: Low → Medium
status: In Progress → Fix Committed
Martin Pitt (pitti) on 2014-03-10
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package udisks - 1.0.4-8ubuntu1.1

---------------
udisks (1.0.4-8ubuntu1.1) saucy-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via long path names
    (LP: #1288226)
    - debian/patches/CVE-2014-0004.patch: limit lengths and properly
      terminate in src/mount-monitor.c.
    - CVE-2014-0004
 -- Marc Deslauriers <email address hidden> Thu, 06 Mar 2014 09:25:27 -0500

Changed in udisks (Ubuntu Saucy):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package udisks2 - 2.1.0-4ubuntu0.1

---------------
udisks2 (2.1.0-4ubuntu0.1) saucy-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via long path names
    (LP: #1288226)
    - debian/patches/CVE-2014-0004.patch: limit lengths and properly
      terminate in src/udisksmountmonitor.c.
    - CVE-2014-0004
 -- Marc Deslauriers <email address hidden> Thu, 06 Mar 2014 09:22:17 -0500

Changed in udisks2 (Ubuntu Saucy):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package udisks - 1.0.4-6ubuntu0.1

---------------
udisks (1.0.4-6ubuntu0.1) quantal-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via long path names
    (LP: #1288226)
    - debian/patches/CVE-2014-0004.patch: limit lengths and properly
      terminate in src/mount-monitor.c.
    - CVE-2014-0004
 -- Marc Deslauriers <email address hidden> Thu, 06 Mar 2014 09:26:56 -0500

Changed in udisks (Ubuntu Quantal):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package udisks2 - 2.0.0-1ubuntu1.1

---------------
udisks2 (2.0.0-1ubuntu1.1) quantal-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via long path names
    (LP: #1288226)
    - debian/patches/CVE-2014-0004.patch: limit lengths and properly
      terminate in src/udisksmountmonitor.c.
    - CVE-2014-0004
 -- Marc Deslauriers <email address hidden> Thu, 06 Mar 2014 09:24:22 -0500

Changed in udisks2 (Ubuntu Quantal):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package udisks - 1.0.4-5ubuntu2.2

---------------
udisks (1.0.4-5ubuntu2.2) precise-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via long path names
    (LP: #1288226)
    - debian/patches/CVE-2014-0004.patch: limit lengths and properly
      terminate in src/mount-monitor.c.
    - CVE-2014-0004
 -- Marc Deslauriers <email address hidden> Thu, 06 Mar 2014 09:27:39 -0500

Changed in udisks (Ubuntu Precise):
status: New → Fix Released
tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package udisks - 1.0.5-1

---------------
udisks (1.0.5-1) unstable; urgency=high

  * New upstream security/bug fix release. Fixes buffer overflow in mount path
    parsing. (CVE-2014-0004, LP: #1288226)
  * Drop 00git_fix_smart_test.patch, 00git_rts_bpp_sdcard.patch: contained in
    this upstream release.
  * Replace Debian specific systemd integration with upstream's:
    - Drop 11-systemd-service.patch and udisks.service.
    - debian/rules: Configure with --with-systemdsystemunitdir.
    - debian/udisks.install: Adjust .service path.
  * Use dh-autoreconf to update config.{sub,guess} for new ports.
    Thanks Dann Frazier. (LP: #1235051)
  * Add 15-dont-watch-lvm.patch: Stop udev-watching devmapper devices. It is
    not necessary any more with current kernels/LVM and breaks removal of
    snapshots. (Closes: #721303)

 -- Martin Pitt <email address hidden> Mon, 10 Mar 2014 11:09:46 +0100

Changed in udisks (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package udisks2 - 2.1.3-1

---------------
udisks2 (2.1.3-1) unstable; urgency=high

  * New upstream security/bug fix release. Fixes buffer overflow in mount path
    parsing. (CVE-2014-0004, LP: #1288226)
  * Add "isolation-machine" autopkgtest restriction, this test does not work
    in schroot or LXC.

 -- Martin Pitt <email address hidden> Mon, 10 Mar 2014 10:41:43 +0100

Changed in udisks2 (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers