buffer overflow with long path names
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
udisks (Ubuntu) |
Fix Released
|
Medium
|
Martin Pitt | ||
Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Quantal |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Saucy |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
Medium
|
Martin Pitt | ||
udisks2 (Ubuntu) |
Fix Released
|
Medium
|
Martin Pitt | ||
Quantal |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Saucy |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
Medium
|
Martin Pitt |
Bug Description
EMBARGOED until 2014-03-10
PUBLISHED now: http://
Florian Weimer of the Red Hat Product Security Team found a flaw in the way udisks and udisks2 handled long path names. A malicious, local user could use this flaw to create a specially-crafted directory structure that could lead to arbitrary code execution with the privileges of the udisks daemon (root).
Huzaifa Sidhpurwala created a proposed patch. I don't like the changing from PATH_MAX to 4096, but it looks good otherwise.
I'll handle the upstream bits, Debian and Ubuntu trusty updates and discuss the PATH_MAX issue.
Upstream fix for udisks 2: http://
Upstream fix for udisks 1: http://
Debian stable updates debdiffs: http://
Changed in udisks2 (Ubuntu Quantal): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in udisks2 (Ubuntu Saucy): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in udisks (Ubuntu Lucid): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in udisks (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in udisks (Ubuntu Quantal): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in udisks (Ubuntu Saucy): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in udisks (Ubuntu Lucid): | |
assignee: | Marc Deslauriers (mdeslaur) → nobody |
status: | New → Won't Fix |
description: | updated |
tags: | added: patch |
I changed the original patch to use PATH_MAX again, and send it back to Florian and Huzaifa . This is the patch which I'm going to commit upstream on March 10.