mount: umount -r drops nosuid flag

Automatically imported from Debian bug report #328141 http://bugs.debian.org/328141

Message-Id: <email address hidden>
Date: Wed, 14 Sep 2005 06:22:00 +1000
From: Paul Szabo <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mount: umount -r drops nosuid flag

Package: mount
Version: 2.11n-7
Severity: critical
File: /bin/umount
Tags: security
Justification: root security hole

Please see

  http://www.securityfocus.com/archive/1/410333

for details. Verified (that noexec flag is gone) as follows:

psz:~$ id
uid=1001(psz) gid=1001(amstaff) groups=1001(amstaff),24(cdrom),25(floppy)
psz:~$ grep cdrom /etc/fstab
/dev/cdrom /cdrom iso9660 ro,user,noauto 0 0
psz:~$ /bin/mount /cdrom
psz:~$ /bin/mount | grep cdrom
/dev/cdrom on /cdrom type iso9660 (ro,noexec,nosuid,nodev,user=psz)
psz:~$ /cdrom/ML3/ML_30_013_Linuxi.bin
bash: /cdrom/ML3/ML_30_013_Linuxi.bin: /bin/sh: bad interpreter: Permission denied
psz:~$ cd /cdrom
psz:/cdrom$ /bin/umount -r /cdrom
umount: /dev/cdrom busy - remounted read-only
psz:/cdrom$ cd
psz:~$ /bin/mount | grep cdrom
/dev/cdrom on /cdrom type iso9660 (ro)
psz:~$ /cdrom/ML3/ML_30_013_Linuxi.bin
Unpacking to /tmp/ML.tar...
[ctrl-C]
psz:~$ /bin/umount -r /cdrom
psz:~$

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.27-smssvr1.6 #1 SMP Wed Aug 24 12:16:31 EST 2005 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages mount depends on:
ii libc6 2.2.5-11.8 GNU C Library: Shared libraries an

Doesn't seem like a major issue to me...

(In reply to comment #2)
> Doesn't seem like a major issue to me...

It becomes a major issue if an admin adds removable devices to fstab, therefore
I increase severity again.

We should follow upstream's approach and disable the -r option for normal users.

*** Bug 21991 has been marked as a duplicate of this bug. ***

stables fixed in USN-184-1, Breezy fixed in

 util-linux (2.12p-6ubuntu4) breezy; urgency=low
 .
   * SECURITY UPDATE: Privilege escalation.
   * Add debian/patches/70umount-disableuserremount.dpatch:
     - Disallow umount's -r option for non-root users. -r removed flags like
       "nosuid" from mounted partitions.
     - CAN-2005-2876

Patch put on patches.u.c, forwarded to Debian BTS.

Message-ID: <email address hidden>
Date: Wed, 14 Sep 2005 00:07:10 +0200
From: Max Vozeler <email address hidden>
To: Paul Szabo <email address hidden>, <email address hidden>
Subject: Re: Bug#328141: mount: umount -r drops nosuid flag

--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

tags 328141 +patch
thanks

On Wed, Sep 14, 2005 at 06:22:00AM +1000, Paul Szabo wrote:
> [ .. umount -r drops flags ]
> http://www.securityfocus.com/archive/1/410333

The attached patch is extracted from 2.12r-pre1, it simply
disallows user r/o remounts.

cheers,
Max

--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline; filename="no_user_remount.diff"

--- /home/max/deb/loop-aes-utils/trunk/mount/umount.c 2005-08-27 12:24:13.000000000 +0200
+++ util-linux-2.12r-pre1/mount/umount.c 2005-09-10 20:07:38.000000000 +0200
@@ -714,7 +714,7 @@

  if (getuid () != geteuid ()) {
   suid = 1;
- if (all || types || nomtab || force)
+ if (all || types || nomtab || force || remount)
    die (2, _("umount: only root can do that"));
  }

--huq684BweRXVnRxX--

Message-ID: <email address hidden>
Date: Fri, 16 Sep 2005 14:41:25 +0200
From: Max Vozeler <email address hidden>
To: <email address hidden>
Subject: retitle 328141

retitle 328141 mount: umount -r drops nosuid flag (CAN-2005-2876)
thanks

Message-ID: <email address hidden>
Date: Fri, 16 Sep 2005 14:42:34 +0200
From: Max Vozeler <email address hidden>
To: <email address hidden>
Subject: clone to loop-aes-utils

clone 328141 -1
reassign -1 loop-aes-utils
thanks

Message-ID: <email address hidden>
Date: Fri, 16 Sep 2005 14:39:57 +0200
From: Max Vozeler <email address hidden>
To: <email address hidden>
Subject: CAN-2005-2876

This bug has been assigned CAN-2005-2876

cheers,
Max

Message-Id: <email address hidden>
Date: Mon, 19 Sep 2005 01:43:16 -0700
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: reassign 329063 to mount, merging 328141 329063

# Automatically generated email from bts, devscripts version 2.8.14
reassign 329063 mount
merge 328141 329063

Message-Id: <email address hidden>
Date: Wed, 21 Sep 2005 07:47:06 -0700
From: LaMont Jones <email address hidden>
To: <email address hidden>
Subject: Bug#328141: fixed in util-linux 2.12p-8

Source: util-linux
Source-Version: 2.12p-8

We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive:

bsdutils_2.12p-8_i386.deb
  to pool/main/u/util-linux/bsdutils_2.12p-8_i386.deb
fdisk-udeb_2.12p-8_i386.udeb
  to pool/main/u/util-linux/fdisk-udeb_2.12p-8_i386.udeb
mount_2.12p-8_i386.deb
  to pool/main/u/util-linux/mount_2.12p-8_i386.deb
util-linux-locales_2.12p-8_all.deb
  to pool/main/u/util-linux/util-linux-locales_2.12p-8_all.deb
util-linux_2.12p-8.diff.gz
  to pool/main/u/util-linux/util-linux_2.12p-8.diff.gz
util-linux_2.12p-8.dsc
  to pool/main/u/util-linux/util-linux_2.12p-8.dsc
util-linux_2.12p-8_i386.deb
  to pool/main/u/util-linux/util-linux_2.12p-8_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
LaMont Jones <email address hidden> (supplier of updated util-linux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 21 Sep 2005 08:36:17 -0600
Source: util-linux
Binary: util-linux fdisk-udeb util-linux-locales bsdutils mount
Architecture: all i386 source
Version: 2.12p-8
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <email address hidden>
Changed-By: LaMont Jones <email address hidden>
Description:
 bsdutils - Basic utilities from 4.4BSD-Lite
 fdisk-udeb - Partition a hard drive (manual, cfdisk)
 mount - Tools for mounting and manipulating filesystems
 util-linux - Miscellaneous system utilities
 util-linux-locales - Locales files for util-linux
Closes: 328141 329063
Changes:
 util-linux (2.12p-8) unstable; urgency=high
 .
   * if /etc/adjtime is a dangling symlink, don't use it in hwclock*.sh
   * Applited patch by Max Vozeler to fix a local privilege escalation
     vulnerability in umount -r [debian/patches/51security_CAN-2005-2876.dpatch]
     Closes: #328141, #329063
Files:
 05dc3e83e483b500a188941d4ec58ca0 700 base required util-linux_2.12p-8.dsc
 262121de89e4a4d5da64a9a3043978a9 66258 base required bsdutils_2.12p-8_i386.deb
 9ae6656ec71c88fd133b065491ab5079 76281 base required util-linux_2.12p-8.diff.gz
 a7c20de195c91631b873ee77745f66f2 140396 base required mount_2.12p-8_i386.deb
 d415a1a9db5caa576f2b674183aba292 369144 base required util-linux_2.12p-8_i386.deb
 f07516de7a286e0d396aa9dafa95fc3b 1072692 utils optional util-linux-locales_2.12p-8_all.deb
 f28485490ec5b6208c4850bdec4d2fc0 537254 debian-installer extra fdisk-udeb_2.12p-8_i386.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDMXGRzN/kmwoKyScR...

Message-Id: <email address hidden>
Date: Wed, 21 Sep 2005 07:47:06 -0700
From: LaMont Jones <email address hidden>
To: <email address hidden>
Subject: Bug#329063: fixed in util-linux 2.12p-8

Source: util-linux
Source-Version: 2.12p-8

We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive:

bsdutils_2.12p-8_i386.deb
  to pool/main/u/util-linux/bsdutils_2.12p-8_i386.deb
fdisk-udeb_2.12p-8_i386.udeb
  to pool/main/u/util-linux/fdisk-udeb_2.12p-8_i386.udeb
mount_2.12p-8_i386.deb
  to pool/main/u/util-linux/mount_2.12p-8_i386.deb
util-linux-locales_2.12p-8_all.deb
  to pool/main/u/util-linux/util-linux-locales_2.12p-8_all.deb
util-linux_2.12p-8.diff.gz
  to pool/main/u/util-linux/util-linux_2.12p-8.diff.gz
util-linux_2.12p-8.dsc
  to pool/main/u/util-linux/util-linux_2.12p-8.dsc
util-linux_2.12p-8_i386.deb
  to pool/main/u/util-linux/util-linux_2.12p-8_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
LaMont Jones <email address hidden> (supplier of updated util-linux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 21 Sep 2005 08:36:17 -0600
Source: util-linux
Binary: util-linux fdisk-udeb util-linux-locales bsdutils mount
Architecture: all i386 source
Version: 2.12p-8
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <email address hidden>
Changed-By: LaMont Jones <email address hidden>
Description:
 bsdutils - Basic utilities from 4.4BSD-Lite
 fdisk-udeb - Partition a hard drive (manual, cfdisk)
 mount - Tools for mounting and manipulating filesystems
 util-linux - Miscellaneous system utilities
 util-linux-locales - Locales files for util-linux
Closes: 328141 329063
Changes:
 util-linux (2.12p-8) unstable; urgency=high
 .
   * if /etc/adjtime is a dangling symlink, don't use it in hwclock*.sh
   * Applited patch by Max Vozeler to fix a local privilege escalation
     vulnerability in umount -r [debian/patches/51security_CAN-2005-2876.dpatch]
     Closes: #328141, #329063
Files:
 05dc3e83e483b500a188941d4ec58ca0 700 base required util-linux_2.12p-8.dsc
 262121de89e4a4d5da64a9a3043978a9 66258 base required bsdutils_2.12p-8_i386.deb
 9ae6656ec71c88fd133b065491ab5079 76281 base required util-linux_2.12p-8.diff.gz
 a7c20de195c91631b873ee77745f66f2 140396 base required mount_2.12p-8_i386.deb
 d415a1a9db5caa576f2b674183aba292 369144 base required util-linux_2.12p-8_i386.deb
 f07516de7a286e0d396aa9dafa95fc3b 1072692 utils optional util-linux-locales_2.12p-8_all.deb
 f28485490ec5b6208c4850bdec4d2fc0 537254 debian-installer extra fdisk-udeb_2.12p-8_i386.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDMXGRzN/kmwoKyScR...

Message-Id: <email address hidden>
Date: Tue, 27 Sep 2005 06:29:26 +1000
From: Paul Szabo <email address hidden>
To: <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: Bug#328141 acknowledged by developer (Bug#329063: fixed in util-linux 2.12p-8)

Dear Debian Security,

Quoting from http://www.debian.org/security/ :

  Debian takes security very seriously. Most security problems
  brought to our attention are corrected within 48 hours.

Can we please have a DSA for this problem?

Thanks,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Message-ID: <email address hidden>
Date: Wed, 5 Oct 2005 08:53:07 -0800 (AKDT)
From: "James Bagley Jr." <email address hidden>
To: <email address hidden>
Subject: Bug fix causes mount issues

Package: mount
Version: 2.12p-4
File: /bin/umount

I run a server with / mounted ro. When maintenance is required on / then
I have to remount it rw, perform whatever operation is required and then
remount / ro. After installing the new util-linux and mount packages I
cannot do this. I get:

# mount / -o remount,ro
mount: / is busy
#

This worked flawlessly until updating these packages.

James Bagley Jr