util-linux: CVE-2014-9114: command injection flaw in blkid

Debian Bug report logs - #771274
util-linux: CVE-2014-9114: command injection flaw in blkid

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: util-linux: CVE-2014-9114: command injection flaw in blkid

Date: Fri, 28 Nov 2014 07:35:33 +0100

Source: util-linux
Version: 2.25.2-3
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for util-linux.

CVE-2014-9114[0]:
blkid command injection

I'm a bit undecided about the severity, so have choosen grave for now,
but important might be more appropriate. Feel free to downgrade if you
disagree: I checked what might be calling blkid -o udev directly as
root in a Debian package:
http://codesearch.debian.net/search?q=blkid+-o+udev Most seem to call
blkid also with -p so not using the cache. OTOH, there is e.g.
grml-debootstrap which calls it this way, but should be safe as it is
called after creating a filesystem on the $TARGET.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-9114
[1] http://www.openwall.com/lists/oss-security/2014/11/26/13
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1168485
[3] https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 771274-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: 771274-close@bugs.debian.org

Subject: Bug#771274: fixed in util-linux 2.25.2-4

Date: Fri, 12 Dec 2014 17:49:51 +0000

Source: util-linux
Source-Version: 2.25.2-4

We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 771274@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Henriksson <andreas@fatal.se> (supplier of updated util-linux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 12 Dec 2014 18:23:24 +0100
Source: util-linux
Binary: util-linux util-linux-locales mount bsdutils fdisk-udeb cfdisk-udeb libblkid1 libblkid1-udeb libblkid-dev libmount1 libmount-dev libsmartcols1 libsmartcols1-udeb libsmartcols-dev libuuid1 uuid-runtime libuuid1-udeb uuid-dev util-linux-udeb
Architecture: source amd64 all
Version: 2.25.2-4
Distribution: unstable
Urgency: medium
Maintainer: Debian util-linux Maintainers <ah-util-linux@debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Description:
 bsdutils   - basic utilities from 4.4BSD-Lite
 cfdisk-udeb - Manually partition a hard drive (cfdisk) (udeb)
 fdisk-udeb - Manually partition a hard drive (fdisk) (udeb)
 libblkid-dev - block device id library - headers and static libraries
 libblkid1  - block device id library
 libblkid1-udeb - stripped down block device id library, for debian-installer (udeb)
 libmount-dev - device mounting library - headers and static libraries
 libmount1  - device mounting library
 libsmartcols-dev - smart column output alignment library - headers and static librar
 libsmartcols1 - smart column output alignment library
 libsmartcols1-udeb - stripped down smart column output aligment library, for debian-in (udeb)
 libuuid1   - Universally Unique ID library
 libuuid1-udeb - stripped down universally unique id library, for debian-installer (udeb)
 mount      - Tools for mounting and manipulating filesystems
 util-linux - Miscellaneous system utilities
 util-linux-locales - Locales files for util-linux
 util-linux-udeb - stripped down miscellaneous system utilities, for debian-installe (udeb)
 uuid-dev   - universally unique id library - headers and static libraries
 uuid-runtime - runtime components for the Universally Unique ID library
Closes: 770506 771092 771274
Changes:
 util-linux (2.25.2-4) unstable; urgency=medium
 .
   [ David Prévot ]
   * Update POT and PO files and clean up .gmo files
   * Update German translation, thanks to Mario Blättermann
   * Update Spanish translation, thanks to Antonio Ceballos Roa
   * Update French translation (Closes: #770506)
   * Update Ukrainian translation, thanks to Yuri Chornoivan
   * Update Brazilian Portuguese translation, thanks to Rafael Ferreira
   * Update Chinese (simplified) translation, thanks to Wylmer Wang
   * Update Danish translation, thanks to Joe Hansen
   * Update Finnish translation, thanks to Lauri Nurmi
   * Update Japanese translation, thanks to Takeshi Hamasaki
   * Update Russian translation, thanks to Pavel Maryanov
   * Trivial unfuzzy
 .
   [ Andreas Henriksson ]
   * Add debian/patches/libblkid-care-about-unsafe-chars-in-cache.patch
     - from upstream git master commit 89e90ae7
       "libblkid: care about unsafe chars in cache"
     - This fixes CVE-2014-9114: blkid command injection
       see https://security-tracker.debian.org/tracker/CVE-2014-9114
     Thanks to Salvatore Bonaccorso (Closes: #771274)
   * libuuid1: add passwd dependency for user migration (Closes: #771092)
Checksums-Sha1:
 16d8390c0861446b5ebdc26c9aa9fca58593c4ce 3443 util-linux_2.25.2-4.dsc
 6fa1fce9676a12d82de8b1980e49ee7363317801 303168 util-linux_2.25.2-4.debian.tar.xz
 887ee532eac647cb651b304afae5ceb6cfe12e9b 93530 bsdutils_2.25.2-4_amd64.deb
 8b553f2a9ebc51b08a02a76121d896f8b2f85cfc 844300 util-linux_2.25.2-4_amd64.deb
 ed201e44a319d06fb7339e94e42717165a63446e 867738 util-linux-locales_2.25.2-4_all.deb
 1757e24203d5d0bc9b8c738a33ed43654670d14c 168044 mount_2.25.2-4_amd64.deb
 b3132ef5a588415e790fcb2d307b5732515129ec 121844 fdisk-udeb_2.25.2-4_amd64.udeb
 9dc77612ab2a68351b8bab538ba26c2f25a207f7 950118 cfdisk-udeb_2.25.2-4_amd64.udeb
 fe140fd35f2ade35e094a0f205bd17bfc7d5f100 155960 libblkid1_2.25.2-4_amd64.deb
 f9eb36781b18d132e1a681af9aba95b8f2e1f0cb 98868 libblkid1-udeb_2.25.2-4_amd64.udeb
 188fa13ebc6ecdc8e97f125c525b4fccff0cec75 180096 libblkid-dev_2.25.2-4_amd64.deb
 e28fe9c36baa65632396e621331a4b5146d10064 163352 libmount1_2.25.2-4_amd64.deb
 933053fce5e7e1ce75a2b8b1ff615c74880408dd 180682 libmount-dev_2.25.2-4_amd64.deb
 91aca044208b1311d4d1d685d56f11570e4f0f6c 109788 libsmartcols1_2.25.2-4_amd64.deb
 02b66bbb12f5e240654b0ce30f3abe9685ae6773 52830 libsmartcols1-udeb_2.25.2-4_amd64.udeb
 a0821b66df647b8e3c0e30559c7ef0b565cc7bfb 119678 libsmartcols-dev_2.25.2-4_amd64.deb
 8dad67488de77f7f32fe19d1f77348ab48fe3433 64170 libuuid1_2.25.2-4_amd64.deb
 8ccf355478e7934078f15aa53fd1a8ec1cc99542 73758 uuid-runtime_2.25.2-4_amd64.deb
 616f21e952c24a94340e42aaf240c4c40c16889b 7162 libuuid1-udeb_2.25.2-4_amd64.udeb
 306d5b0749682a9f90b61611090473549206f0a8 77804 uuid-dev_2.25.2-4_amd64.deb
 14db7f26f32c221159504ddd49203f0222699f7e 27716 util-linux-udeb_2.25.2-4_amd64.udeb
Checksums-Sha256:
 4e15e879bae4b50644b8c5dc41e27cb04d2b7023ca07f916b72e76ae389186e3 3443 util-linux_2.25.2-4.dsc
 cd73958a0d04a34b1dada6163f1ce31d3db29d7899ebf20e5b62d8654b6d8557 303168 util-linux_2.25.2-4.debian.tar.xz
 b7ff4e1e09d58dc23735b73ca1ebfe93b2db8830775c9cf1991d81e23a384bb4 93530 bsdutils_2.25.2-4_amd64.deb
 7e8ea772ca9463f245e769e96a1bc05324f33d8cc950e1e4d24c886f11963598 844300 util-linux_2.25.2-4_amd64.deb
 104218edd9fac0d230a55c409441baa3a46f8a8b1a2f4e50fb3979d11fbd0c31 867738 util-linux-locales_2.25.2-4_all.deb
 60547f63ce6d67a58bfa67961c166915a926f96615f0171e5deb57b267482b85 168044 mount_2.25.2-4_amd64.deb
 826eb0a835f1cd645b8bd8c767b8e08f3ebe8bb1a7985230b1b4df271dc77eed 121844 fdisk-udeb_2.25.2-4_amd64.udeb
 3a112d9ffc1e56cc486ee94ce7dfef802a64302b31832248800ad6df3494e8ac 950118 cfdisk-udeb_2.25.2-4_amd64.udeb
 624244dcde06913688a7784b861a9255e4aa4075b00871ef143e4ba8d81af90e 155960 libblkid1_2.25.2-4_amd64.deb
 8106198e71015803a6d7c4b749c8986c83b60ddc5d70adfa29ee20a56ba1367b 98868 libblkid1-udeb_2.25.2-4_amd64.udeb
 25fcaf8684e024a962e5cdc6d4a256bdbbcea491d4972a9b3fa5946a84a10278 180096 libblkid-dev_2.25.2-4_amd64.deb
 ccf17d933662c169e51a0e05c06bdb3b79cb8af9277ebd5dede97c1643e90b60 163352 libmount1_2.25.2-4_amd64.deb
 38eae64d8b84d57ffebb3a4650d2bf5d7ca6a2ea728313de9bca16211aa28a94 180682 libmount-dev_2.25.2-4_amd64.deb
 f9af51fa7d2a5f7afc5d81fad8f00a6baed994bedba843a902ff9882ad197e8f 109788 libsmartcols1_2.25.2-4_amd64.deb
 100da7e0a3920898ccd1a4e808e46d8d808971c9c3d3557fa481dbfb6579aaef 52830 libsmartcols1-udeb_2.25.2-4_amd64.udeb
 3fd4fb2af1d8ee8a04e42aaa419bc1736472fa337fc951d3e5af1a85828ccfbf 119678 libsmartcols-dev_2.25.2-4_amd64.deb
 9d95dd0bf361a964400e9c782ad998ba8a8d8c4d4e6b721efeaf570c2dc43a7f 64170 libuuid1_2.25.2-4_amd64.deb
 33c0ca3b6620a9f5c1e3e847251fa82bab93d89258bedb4656dc3fdd7026f9c1 73758 uuid-runtime_2.25.2-4_amd64.deb
 b66b08f23d55ccae06ccf48fcab0b9840cec8a0a4211d2c2d015b477e0e3e03a 7162 libuuid1-udeb_2.25.2-4_amd64.udeb
 25c0ba94ce7fa41e059bdaa1ff56317d559e37bf6e7638eec50ac6c11ded30d2 77804 uuid-dev_2.25.2-4_amd64.deb
 3ef4e9d849a06909960ffd3633b61b05a4b18c8584dffb25016529f91003efba 27716 util-linux-udeb_2.25.2-4_amd64.udeb
Files:
 b15d01f0a2963535a3a1b419f2532c7a 3443 base required util-linux_2.25.2-4.dsc
 f71b868f6f359cd7b04f5ebf099d7154 303168 base required util-linux_2.25.2-4.debian.tar.xz
 962bc701ddc1b0167b101a3800d6f9fa 93530 utils required bsdutils_2.25.2-4_amd64.deb
 32914968c26e8245ad9e5f266644232f 844300 utils required util-linux_2.25.2-4_amd64.deb
 f35dbf60a6e6093c7cece1d145203634 867738 localization optional util-linux-locales_2.25.2-4_all.deb
 0980a1d492077e10dd7b5ebdfbadd475 168044 admin required mount_2.25.2-4_amd64.deb
 5db2b2622d4a928094d2d67a9517b65a 121844 debian-installer extra fdisk-udeb_2.25.2-4_amd64.udeb
 b24e73d7d78213eaf27539ed8a39bf19 950118 debian-installer extra cfdisk-udeb_2.25.2-4_amd64.udeb
 49d205e01250f73041f67203eb744eb4 155960 libs required libblkid1_2.25.2-4_amd64.deb
 1350c0688d007dc737afaf6e6db42a83 98868 debian-installer optional libblkid1-udeb_2.25.2-4_amd64.udeb
 ec2de79e71303e2e26c731df037dd8e6 180096 libdevel optional libblkid-dev_2.25.2-4_amd64.deb
 1e188e828b1acaa9eb403f3a581368fd 163352 libs required libmount1_2.25.2-4_amd64.deb
 72d2f8c632078dd836f8aa8700373161 180682 libdevel optional libmount-dev_2.25.2-4_amd64.deb
 9d81ed4c115548c3b8463a83233709c2 109788 libs required libsmartcols1_2.25.2-4_amd64.deb
 d8ac03bba803c1ff374e834b6748127c 52830 debian-installer optional libsmartcols1-udeb_2.25.2-4_amd64.udeb
 88e396778a0774e39e8f54a1c4f5d2df 119678 libdevel optional libsmartcols-dev_2.25.2-4_amd64.deb
 8f84b60fdae98b3c2869de68399acf92 64170 libs required libuuid1_2.25.2-4_amd64.deb
 1817d538317f70e0589e8b38602fdade 73758 utils optional uuid-runtime_2.25.2-4_amd64.deb
 7f3f2243c688343c28585376f8811aab 7162 debian-installer optional libuuid1-udeb_2.25.2-4_amd64.udeb
 b9cb9624940773fe69fc3044d41a2188 77804 libdevel optional uuid-dev_2.25.2-4_amd64.deb
 edad5962fb1f0e308ab949d83255fd82 27716 debian-installer optional util-linux-udeb_2.25.2-4_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUiykZAAoJEAvEfcZNE1MG6WoP/1M5VXb47hqjg/U+e3h/TZNQ
t9p+aBiIXReBYUXQgQ6PPjN0+iE4r2BXGZoYKGZLUriYOqN6PQpSckJ2N+IMP98D
fQgl0YlLtiNO/qg8LKHe2wN3KROS1WQRcEEGK9ryZGl/dHd445nUYNoJ+MEEPsV+
GJVq4W8iEaezvTUFmzfsm4fo9a7eJ9UfA0mfuK4ZtqIyJ+O3ZA79hrFoDmKL+rU4
GnzEIF1ieDuBQnfVN/jw5Br1ejsthb+5UlkRv+be+f2UiMrpWS1J5z05Fh7izhY8
N5dNtnGdskVUFVUEfnUJXthobRnX4JhsiIxiiXCaJYlrpedV+vXpsOIGy1RtOrT5
kE3IW5VtYwChER11Yc8oekNDy9ZfVzMaX3NsvUyC6pGerSbbgtjbYDgFw8ypltdr
rF5Ki8XzYmWo9DeqCZW28vMhZKOGxYCJUsXO80yv/hgXcut0yXlkj8FgPFm7nurP
XpbnolIyDSmH5vns6EBrTa/I8J/jWDuWeFf37nbkR/K2ujdW/N4Gu60gcfevr/iZ
Yp0hncIxSoBnYt30PS39ptR+7viR5GRjyejSGvbRCcevQDQmrYFafac1BxABV8fo
/UNN1FosJ30TIf7SSFVZKq3JI8BSagNxWxbczCu7vTuNJVCmeYJIgACebcqZmuS8
1LVky5FV+/pJvyTfxUP8
=REQB
-----END PGP SIGNATURE-----

Message #17 received at 771274@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 771274@bugs.debian.org

Cc: Andreas Henriksson <andreas@fatal.se>

Subject: Follow-up on blkid command injection issue (Bug#771274: fixed in util-linux 2.25.2-4)

Date: Mon, 15 Dec 2014 20:50:19 +0100

Hi Andreas,

Sorry, I cannot check it right now myself, but could you have a look at
http://www.openwall.com/lists/oss-security/2014/12/15/3 . Apparently
the initial patch had an issue, and there is also a followup on this.

Regards,
Salvatore

Message #22 received at 771274@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Salvatore Bonaccorso <carnil@debian.org>, 771274@bugs.debian.org

Subject: Re: Bug#771274: Follow-up on blkid command injection issue (Bug#771274: fixed in util-linux 2.25.2-4)

Date: Tue, 16 Dec 2014 10:27:07 +0100

Hello Salvatore Bonaccorso.

On Mon, Dec 15, 2014 at 08:50:19PM +0100, Salvatore Bonaccorso wrote:
> Hi Andreas,
> 
> Sorry, I cannot check it right now myself, but could you have a look at
> http://www.openwall.com/lists/oss-security/2014/12/15/3 . Apparently
> the initial patch had an issue, and there is also a followup on this.

Thanks for your followup.

I cherry-picked the actual upstream commit (read: karel zaks version)
and did not use the patch submitted for review (read: sebastians version).

This should mean that the fix made by Karel Zak should be included
in our package.

(Anyone digging deeper into this would ofcourse be appreciated.)

Regards,
Andreas Henriksson

Send a report that this bug log contains spam.