Opened 8 months ago

Closed 8 months ago

#4989 closed enhancement (fixed)

util-linux-2.37.3 (security fix)

Reported by: pierre Owned by: ken@…
Priority: high Milestone: 11.1
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New point version

util-linux 2.37.3 Release Notes
===============================

This release fixes two security mount(8) and umount(8) issues:

CVE-2021-3996
    Improper UID check in libmount allows an unprivileged user to unmount FUSE
    filesystems of users with similar UID.

CVE-2021-3995
    This issue is related to parsing the /proc/self/mountinfo file allows an
    unprivileged user to unmount other user's filesystems that are either
    world-writable themselves or mounted in a world-writable directory.

Description of the vulnerabilities at https://www.openwall.com/lists/oss-security/2022/01/24/2. Excerpt:

This vulnerability allows an unprivileged user to unmount other users'
filesystems that are either world-writable themselves (like /tmp) or
mounted in a world-writable directory.

For example, on Fedora, /tmp is a tmpfs, so we can mount a basic FUSE
filesystem named "/tmp/ (deleted)" (with FUSE's "hello world" program,
./hello) and unmount /tmp itself (a denial of service

Attachments (1)

raw.8 (4.6 KB ) - added by Xi Ruoyao 8 months ago.
missed man page generated using asciidoc/xmlto

Download all attachments as: .zip

Change History (8)

by Xi Ruoyao, 8 months ago

Attachment: raw.8 added

missed man page generated using asciidoc/xmlto

comment:1 by Xi Ruoyao, 8 months ago

Hit an issue: https://github.com/util-linux/util-linux/issues/1579

I attached the generated man page in the ticket. We can upload it to anduin.

comment:2 by Xi Ruoyao, 8 months ago

Well, this should not cause problem building LFS, as linux/raw.h has been removed since Linux API headers from 5.13 or newer.

But in the SA we should workaround the issue for the users upgrading util-linux on their old system. --disable-raw seems enough for them.

comment:3 by Bruce Dubbs, 8 months ago

Resolution: fixed
Status: newclosed

Fixed at commit e1ebbef46a60aefd2cb48c6fc82ac3c1414a4054

Package updates.
    Update to vim-8.2.4236.
    Update to zstd-1.5.2.
    Update to util-linux-2.37.3 (security fix).
    Update to Python-3.10.2.
    Update to linux-5.16.2.
    Update to libcap-2.63.
    Update to iproute2-5.16.0.
    Update to iana-etc-20220120.

in reply to:  2 comment:4 by ken@…, 8 months ago

Resolution: fixed
Status: closedreopened

Replying to Xi Ruoyao:

Well, this should not cause problem building LFS, as linux/raw.h has been removed since Linux API headers from 5.13 or newer.

But in the SA we should workaround the issue for the users upgrading util-linux on their old system. --disable-raw seems enough for them.

On systems before we merged /usr the libraries need to go in /lib, other wise things such as umount will not work (ask me how I know :)

I was reluctant to write the SA because I didn't know how far back this vulnerability existed, but looking at the openwall advisory I now see it was introduced in November 2018 which appears to mean it is in 2.33.

Reopening because I don't like tickets with a pending advisory to be closed before the advisory is issued. I hope to do that within the next 24 hours.

comment:5 by ken@…, 8 months ago

Owner: changed from lfs-book to ken@…
Status: reopenednew

comment:6 by ken@…, 8 months ago

Advisory SA 11.0-062 created

comment:7 by ken@…, 8 months ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.