mount: umount -r drops nosuid flag
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
util-linux (Debian) |
Fix Released
|
Unknown
|
|||
util-linux (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #328141 http://
CVE References
In Debian Bug tracker #328141, Max-decl (max-decl) wrote : Re: Bug#328141: mount: umount -r drops nosuid flag | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Automatically imported from Debian bug report #328141 http://
Debian Bug Importer (debzilla) wrote : | #3 |
Message-Id: <email address hidden>
Date: Wed, 14 Sep 2005 06:22:00 +1000
From: Paul Szabo <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mount: umount -r drops nosuid flag
Package: mount
Version: 2.11n-7
Severity: critical
File: /bin/umount
Tags: security
Justification: root security hole
Please see
http://
for details. Verified (that noexec flag is gone) as follows:
psz:~$ id
uid=1001(psz) gid=1001(amstaff) groups=
psz:~$ grep cdrom /etc/fstab
/dev/cdrom /cdrom iso9660 ro,user,noauto 0 0
psz:~$ /bin/mount /cdrom
psz:~$ /bin/mount | grep cdrom
/dev/cdrom on /cdrom type iso9660 (ro,noexec,
psz:~$ /cdrom/
bash: /cdrom/
psz:~$ cd /cdrom
psz:/cdrom$ /bin/umount -r /cdrom
umount: /dev/cdrom busy - remounted read-only
psz:/cdrom$ cd
psz:~$ /bin/mount | grep cdrom
/dev/cdrom on /cdrom type iso9660 (ro)
psz:~$ /cdrom/
Unpacking to /tmp/ML.tar...
[ctrl-C]
psz:~$ /bin/umount -r /cdrom
psz:~$
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.
Locale: LANG=C, LC_CTYPE=C
Versions of packages mount depends on:
ii libc6 2.2.5-11.8 GNU C Library: Shared libraries an
Matt Zimmerman (mdz) wrote : | #4 |
Doesn't seem like a major issue to me...
Martin Pitt (pitti) wrote : | #5 |
(In reply to comment #2)
> Doesn't seem like a major issue to me...
It becomes a major issue if an admin adds removable devices to fstab, therefore
I increase severity again.
We should follow upstream's approach and disable the -r option for normal users.
In Debian Bug tracker #328141, Max-decl (max-decl) wrote : CAN-2005-2876 | #6 |
This bug has been assigned CAN-2005-2876
cheers,
Max
In Debian Bug tracker #328141, Max-decl (max-decl) wrote : retitle 328141 | #7 |
retitle 328141 mount: umount -r drops nosuid flag (CAN-2005-2876)
thanks
In Debian Bug tracker #328141, Max-decl (max-decl) wrote : clone to loop-aes-utils | #8 |
clone 328141 -1
reassign -1 loop-aes-utils
thanks
In Debian Bug tracker #328141, Steve Langasek (vorlon) wrote : reassign 329063 to mount, merging 328141 329063 | #9 |
# Automatically generated email from bts, devscripts version 2.8.14
reassign 329063 mount
merge 328141 329063
Debian Bug Importer (debzilla) wrote : | #10 |
*** Bug 21991 has been marked as a duplicate of this bug. ***
Martin Pitt (pitti) wrote : | #11 |
stables fixed in USN-184-1, Breezy fixed in
util-linux (2.12p-6ubuntu4) breezy; urgency=low
.
* SECURITY UPDATE: Privilege escalation.
* Add debian/
- Disallow umount's -r option for non-root users. -r removed flags like
"nosuid" from mounted partitions.
- CAN-2005-2876
Patch put on patches.u.c, forwarded to Debian BTS.
In Debian Bug tracker #328141, LaMont Jones (lamont) wrote : Bug#328141: fixed in util-linux 2.12p-8 | #12 |
Source: util-linux
Source-Version: 2.12p-8
We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive:
bsdutils_
to pool/main/
fdisk-udeb_
to pool/main/
mount_2.
to pool/main/
util-linux-
to pool/main/
util-linux_
to pool/main/
util-linux_
to pool/main/
util-linux_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
LaMont Jones <email address hidden> (supplier of updated util-linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 21 Sep 2005 08:36:17 -0600
Source: util-linux
Binary: util-linux fdisk-udeb util-linux-locales bsdutils mount
Architecture: all i386 source
Version: 2.12p-8
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <email address hidden>
Changed-By: LaMont Jones <email address hidden>
Description:
bsdutils - Basic utilities from 4.4BSD-Lite
fdisk-udeb - Partition a hard drive (manual, cfdisk)
mount - Tools for mounting and manipulating filesystems
util-linux - Miscellaneous system utilities
util-linux-locales - Locales files for util-linux
Closes: 328141 329063
Changes:
util-linux (2.12p-8) unstable; urgency=high
.
* if /etc/adjtime is a dangling symlink, don't use it in hwclock*.sh
* Applited patch by Max Vozeler to fix a local privilege escalation
vulnerability in umount -r [debian/
Closes: #328141, #329063
Files:
05dc3e83e483b5
262121de89e4a4
9ae6656ec71c88
a7c20de195c916
d415a1a9db5caa
f07516de7a286e
f28485490ec5b6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDMXGRzN/
QDMHhcsAA129GQw
=M26d
-----END PGP SIGNATURE-----
In Debian Bug tracker #328141, LaMont Jones (lamont) wrote : Bug#329063: fixed in util-linux 2.12p-8 | #13 |
Source: util-linux
Source-Version: 2.12p-8
We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive:
bsdutils_
to pool/main/
fdisk-udeb_
to pool/main/
mount_2.
to pool/main/
util-linux-
to pool/main/
util-linux_
to pool/main/
util-linux_
to pool/main/
util-linux_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
LaMont Jones <email address hidden> (supplier of updated util-linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 21 Sep 2005 08:36:17 -0600
Source: util-linux
Binary: util-linux fdisk-udeb util-linux-locales bsdutils mount
Architecture: all i386 source
Version: 2.12p-8
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <email address hidden>
Changed-By: LaMont Jones <email address hidden>
Description:
bsdutils - Basic utilities from 4.4BSD-Lite
fdisk-udeb - Partition a hard drive (manual, cfdisk)
mount - Tools for mounting and manipulating filesystems
util-linux - Miscellaneous system utilities
util-linux-locales - Locales files for util-linux
Closes: 328141 329063
Changes:
util-linux (2.12p-8) unstable; urgency=high
.
* if /etc/adjtime is a dangling symlink, don't use it in hwclock*.sh
* Applited patch by Max Vozeler to fix a local privilege escalation
vulnerability in umount -r [debian/
Closes: #328141, #329063
Files:
05dc3e83e483b5
262121de89e4a4
9ae6656ec71c88
a7c20de195c916
d415a1a9db5caa
f07516de7a286e
f28485490ec5b6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDMXGRzN/
QDMHhcsAA129GQw
=M26d
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Wed, 14 Sep 2005 00:07:10 +0200
From: Max Vozeler <email address hidden>
To: Paul Szabo <email address hidden>, <email address hidden>
Subject: Re: Bug#328141: mount: umount -r drops nosuid flag
--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-
tags 328141 +patch
thanks
On Wed, Sep 14, 2005 at 06:22:00AM +1000, Paul Szabo wrote:
> [ .. umount -r drops flags ]
> http://
The attached patch is extracted from 2.12r-pre1, it simply
disallows user r/o remounts.
cheers,
Max
--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-
--- /home/max/
+++ util-linux-
@@ -714,7 +714,7 @@
if (getuid () != geteuid ()) {
suid = 1;
- if (all || types || nomtab || force)
+ if (all || types || nomtab || force || remount)
die (2, _("umount: only root can do that"));
}
--huq684BweRXVn
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Fri, 16 Sep 2005 14:41:25 +0200
From: Max Vozeler <email address hidden>
To: <email address hidden>
Subject: retitle 328141
retitle 328141 mount: umount -r drops nosuid flag (CAN-2005-2876)
thanks
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Fri, 16 Sep 2005 14:42:34 +0200
From: Max Vozeler <email address hidden>
To: <email address hidden>
Subject: clone to loop-aes-utils
clone 328141 -1
reassign -1 loop-aes-utils
thanks
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <email address hidden>
Date: Fri, 16 Sep 2005 14:39:57 +0200
From: Max Vozeler <email address hidden>
To: <email address hidden>
Subject: CAN-2005-2876
This bug has been assigned CAN-2005-2876
cheers,
Max
Debian Bug Importer (debzilla) wrote : | #18 |
Message-Id: <email address hidden>
Date: Mon, 19 Sep 2005 01:43:16 -0700
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: reassign 329063 to mount, merging 328141 329063
# Automatically generated email from bts, devscripts version 2.8.14
reassign 329063 mount
merge 328141 329063
Debian Bug Importer (debzilla) wrote : | #19 |
Message-Id: <email address hidden>
Date: Wed, 21 Sep 2005 07:47:06 -0700
From: LaMont Jones <email address hidden>
To: <email address hidden>
Subject: Bug#328141: fixed in util-linux 2.12p-8
Source: util-linux
Source-Version: 2.12p-8
We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive:
bsdutils_
to pool/main/
fdisk-udeb_
to pool/main/
mount_2.
to pool/main/
util-linux-
to pool/main/
util-linux_
to pool/main/
util-linux_
to pool/main/
util-linux_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
LaMont Jones <email address hidden> (supplier of updated util-linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 21 Sep 2005 08:36:17 -0600
Source: util-linux
Binary: util-linux fdisk-udeb util-linux-locales bsdutils mount
Architecture: all i386 source
Version: 2.12p-8
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <email address hidden>
Changed-By: LaMont Jones <email address hidden>
Description:
bsdutils - Basic utilities from 4.4BSD-Lite
fdisk-udeb - Partition a hard drive (manual, cfdisk)
mount - Tools for mounting and manipulating filesystems
util-linux - Miscellaneous system utilities
util-linux-locales - Locales files for util-linux
Closes: 328141 329063
Changes:
util-linux (2.12p-8) unstable; urgency=high
.
* if /etc/adjtime is a dangling symlink, don't use it in hwclock*.sh
* Applited patch by Max Vozeler to fix a local privilege escalation
vulnerability in umount -r [debian/
Closes: #328141, #329063
Files:
05dc3e83e483b5
262121de89e4a4
9ae6656ec71c88
a7c20de195c916
d415a1a9db5caa
f07516de7a286e
f28485490ec5b6
-----BEGIN PGP SIGNATURE----- iD8DBQFDMXGRzN/
Version: GnuPG v1.4.1 (GNU/Linux)
Debian Bug Importer (debzilla) wrote : | #20 |
Message-Id: <email address hidden>
Date: Wed, 21 Sep 2005 07:47:06 -0700
From: LaMont Jones <email address hidden>
To: <email address hidden>
Subject: Bug#329063: fixed in util-linux 2.12p-8
Source: util-linux
Source-Version: 2.12p-8
We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive:
bsdutils_
to pool/main/
fdisk-udeb_
to pool/main/
mount_2.
to pool/main/
util-linux-
to pool/main/
util-linux_
to pool/main/
util-linux_
to pool/main/
util-linux_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
LaMont Jones <email address hidden> (supplier of updated util-linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 21 Sep 2005 08:36:17 -0600
Source: util-linux
Binary: util-linux fdisk-udeb util-linux-locales bsdutils mount
Architecture: all i386 source
Version: 2.12p-8
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <email address hidden>
Changed-By: LaMont Jones <email address hidden>
Description:
bsdutils - Basic utilities from 4.4BSD-Lite
fdisk-udeb - Partition a hard drive (manual, cfdisk)
mount - Tools for mounting and manipulating filesystems
util-linux - Miscellaneous system utilities
util-linux-locales - Locales files for util-linux
Closes: 328141 329063
Changes:
util-linux (2.12p-8) unstable; urgency=high
.
* if /etc/adjtime is a dangling symlink, don't use it in hwclock*.sh
* Applited patch by Max Vozeler to fix a local privilege escalation
vulnerability in umount -r [debian/
Closes: #328141, #329063
Files:
05dc3e83e483b5
262121de89e4a4
9ae6656ec71c88
a7c20de195c916
d415a1a9db5caa
f07516de7a286e
f28485490ec5b6
-----BEGIN PGP SIGNATURE----- iD8DBQFDMXGRzN/
Version: GnuPG v1.4.1 (GNU/Linux)
In Debian Bug tracker #328141, Paul Szabo (psz-maths) wrote : Re: Bug#328141 acknowledged by developer (Bug#329063: fixed in util-linux 2.12p-8) | #21 |
Dear Debian Security,
Quoting from http://
Debian takes security very seriously. Most security problems
brought to our attention are corrected within 48 hours.
Can we please have a DSA for this problem?
Thanks,
Paul Szabo <email address hidden> http://
School of Mathematics and Statistics University of Sydney Australia
Debian Bug Importer (debzilla) wrote : | #22 |
Message-Id: <email address hidden>
Date: Tue, 27 Sep 2005 06:29:26 +1000
From: Paul Szabo <email address hidden>
To: <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: Bug#328141 acknowledged by developer (Bug#329063: fixed in util-linux 2.12p-8)
Dear Debian Security,
Quoting from http://
Debian takes security very seriously. Most security problems
brought to our attention are corrected within 48 hours.
Can we please have a DSA for this problem?
Thanks,
Paul Szabo <email address hidden> http://
School of Mathematics and Statistics University of Sydney Australia
In Debian Bug tracker #328141, James Bagley Jr. (james-thelostnet) wrote : Bug fix causes mount issues | #23 |
Package: mount
Version: 2.12p-4
File: /bin/umount
I run a server with / mounted ro. When maintenance is required on / then
I have to remount it rw, perform whatever operation is required and then
remount / ro. After installing the new util-linux and mount packages I
cannot do this. I get:
# mount / -o remount,ro
mount: / is busy
#
This worked flawlessly until updating these packages.
James Bagley Jr
Debian Bug Importer (debzilla) wrote : | #24 |
Message-ID: <email address hidden>
Date: Wed, 5 Oct 2005 08:53:07 -0800 (AKDT)
From: "James Bagley Jr." <email address hidden>
To: <email address hidden>
Subject: Bug fix causes mount issues
Package: mount
Version: 2.12p-4
File: /bin/umount
I run a server with / mounted ro. When maintenance is required on / then
I have to remount it rw, perform whatever operation is required and then
remount / ro. After installing the new util-linux and mount packages I
cannot do this. I get:
# mount / -o remount,ro
mount: / is busy
#
This worked flawlessly until updating these packages.
James Bagley Jr
tags 328141 +patch
thanks
On Wed, Sep 14, 2005 at 06:22:00AM +1000, Paul Szabo wrote: www.securityfoc us.com/ archive/ 1/410333
> [ .. umount -r drops flags ]
> http://
The attached patch is extracted from 2.12r-pre1, it simply
disallows user r/o remounts.
cheers,
Max