Debian Bug report logs -
#328141
mount: umount -r drops nosuid flag (CAN-2005-2876)
Reported by: Paul Szabo <psz@maths.usyd.edu.au>
Date: Tue, 13 Sep 2005 20:33:02 UTC
Severity: critical
Tags: patch, security
Merged with 329063
Found in versions mount/2.11n-7, mount/2.12p-4
Fixed in version util-linux/2.12p-8
Done: LaMont Jones <lamont@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#328141; Package mount.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to LaMont Jones <lamont@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mount
Version: 2.11n-7
Severity: critical
File: /bin/umount
Tags: security
Justification: root security hole
Please see
http://www.securityfocus.com/archive/1/410333
for details. Verified (that noexec flag is gone) as follows:
psz:~$ id
uid=1001(psz) gid=1001(amstaff) groups=1001(amstaff),24(cdrom),25(floppy)
psz:~$ grep cdrom /etc/fstab
/dev/cdrom /cdrom iso9660 ro,user,noauto 0 0
psz:~$ /bin/mount /cdrom
psz:~$ /bin/mount | grep cdrom
/dev/cdrom on /cdrom type iso9660 (ro,noexec,nosuid,nodev,user=psz)
psz:~$ /cdrom/ML3/ML_30_013_Linuxi.bin
bash: /cdrom/ML3/ML_30_013_Linuxi.bin: /bin/sh: bad interpreter: Permission denied
psz:~$ cd /cdrom
psz:/cdrom$ /bin/umount -r /cdrom
umount: /dev/cdrom busy - remounted read-only
psz:/cdrom$ cd
psz:~$ /bin/mount | grep cdrom
/dev/cdrom on /cdrom type iso9660 (ro)
psz:~$ /cdrom/ML3/ML_30_013_Linuxi.bin
Unpacking to /tmp/ML.tar...
[ctrl-C]
psz:~$ /bin/umount -r /cdrom
psz:~$
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.27-smssvr1.6 #1 SMP Wed Aug 24 12:16:31 EST 2005 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages mount depends on:
ii libc6 2.2.5-11.8 GNU C Library: Shared libraries an
Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#328141; Package mount.
(full text, mbox, link).
Acknowledgement sent to Max Vozeler <max@decl.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>.
(full text, mbox, link).
Message #10 received at 328141@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 328141 +patch
thanks
On Wed, Sep 14, 2005 at 06:22:00AM +1000, Paul Szabo wrote:
> [ .. umount -r drops flags ]
> http://www.securityfocus.com/archive/1/410333
The attached patch is extracted from 2.12r-pre1, it simply
disallows user r/o remounts.
cheers,
Max
[no_user_remount.diff (text/plain, inline)]
--- /home/max/deb/loop-aes-utils/trunk/mount/umount.c 2005-08-27 12:24:13.000000000 +0200
+++ util-linux-2.12r-pre1/mount/umount.c 2005-09-10 20:07:38.000000000 +0200
@@ -714,7 +714,7 @@
if (getuid () != geteuid ()) {
suid = 1;
- if (all || types || nomtab || force)
+ if (all || types || nomtab || force || remount)
die (2, _("umount: only root can do that"));
}
Tags added: patch
Request was from Max Vozeler <max@decl.org>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title.
Request was from Max Vozeler <max@decl.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#328141; Package mount.
(full text, mbox, link).
Acknowledgement sent to Max Vozeler <max@decl.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>.
(full text, mbox, link).
Message #21 received at 328141@bugs.debian.org (full text, mbox, reply):
This bug has been assigned CAN-2005-2876
cheers,
Max
Reply sent to LaMont Jones <lamont@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #28 received at 328141-close@bugs.debian.org (full text, mbox, reply):
Source: util-linux
Source-Version: 2.12p-8
We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive:
bsdutils_2.12p-8_i386.deb
to pool/main/u/util-linux/bsdutils_2.12p-8_i386.deb
fdisk-udeb_2.12p-8_i386.udeb
to pool/main/u/util-linux/fdisk-udeb_2.12p-8_i386.udeb
mount_2.12p-8_i386.deb
to pool/main/u/util-linux/mount_2.12p-8_i386.deb
util-linux-locales_2.12p-8_all.deb
to pool/main/u/util-linux/util-linux-locales_2.12p-8_all.deb
util-linux_2.12p-8.diff.gz
to pool/main/u/util-linux/util-linux_2.12p-8.diff.gz
util-linux_2.12p-8.dsc
to pool/main/u/util-linux/util-linux_2.12p-8.dsc
util-linux_2.12p-8_i386.deb
to pool/main/u/util-linux/util-linux_2.12p-8_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 328141@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
LaMont Jones <lamont@debian.org> (supplier of updated util-linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 21 Sep 2005 08:36:17 -0600
Source: util-linux
Binary: util-linux fdisk-udeb util-linux-locales bsdutils mount
Architecture: all i386 source
Version: 2.12p-8
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: LaMont Jones <lamont@debian.org>
Description:
bsdutils - Basic utilities from 4.4BSD-Lite
fdisk-udeb - Partition a hard drive (manual, cfdisk)
mount - Tools for mounting and manipulating filesystems
util-linux - Miscellaneous system utilities
util-linux-locales - Locales files for util-linux
Closes: 328141 329063
Changes:
util-linux (2.12p-8) unstable; urgency=high
.
* if /etc/adjtime is a dangling symlink, don't use it in hwclock*.sh
* Applited patch by Max Vozeler to fix a local privilege escalation
vulnerability in umount -r [debian/patches/51security_CAN-2005-2876.dpatch]
Closes: #328141, #329063
Files:
05dc3e83e483b500a188941d4ec58ca0 700 base required util-linux_2.12p-8.dsc
262121de89e4a4d5da64a9a3043978a9 66258 base required bsdutils_2.12p-8_i386.deb
9ae6656ec71c88fd133b065491ab5079 76281 base required util-linux_2.12p-8.diff.gz
a7c20de195c91631b873ee77745f66f2 140396 base required mount_2.12p-8_i386.deb
d415a1a9db5caa576f2b674183aba292 369144 base required util-linux_2.12p-8_i386.deb
f07516de7a286e0d396aa9dafa95fc3b 1072692 utils optional util-linux-locales_2.12p-8_all.deb
f28485490ec5b6208c4850bdec4d2fc0 537254 debian-installer extra fdisk-udeb_2.12p-8_i386.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDMXGRzN/kmwoKyScRAsj5AJ0dhwzeGrFvt4qByplpRYb8Sq1QiwCdEvAy
QDMHhcsAA129GQwDOx8gJBQ=
=M26d
-----END PGP SIGNATURE-----
Reply sent to LaMont Jones <lamont@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #33 received at 329063-close@bugs.debian.org (full text, mbox, reply):
Source: util-linux
Source-Version: 2.12p-8
We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive:
bsdutils_2.12p-8_i386.deb
to pool/main/u/util-linux/bsdutils_2.12p-8_i386.deb
fdisk-udeb_2.12p-8_i386.udeb
to pool/main/u/util-linux/fdisk-udeb_2.12p-8_i386.udeb
mount_2.12p-8_i386.deb
to pool/main/u/util-linux/mount_2.12p-8_i386.deb
util-linux-locales_2.12p-8_all.deb
to pool/main/u/util-linux/util-linux-locales_2.12p-8_all.deb
util-linux_2.12p-8.diff.gz
to pool/main/u/util-linux/util-linux_2.12p-8.diff.gz
util-linux_2.12p-8.dsc
to pool/main/u/util-linux/util-linux_2.12p-8.dsc
util-linux_2.12p-8_i386.deb
to pool/main/u/util-linux/util-linux_2.12p-8_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 329063@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
LaMont Jones <lamont@debian.org> (supplier of updated util-linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 21 Sep 2005 08:36:17 -0600
Source: util-linux
Binary: util-linux fdisk-udeb util-linux-locales bsdutils mount
Architecture: all i386 source
Version: 2.12p-8
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: LaMont Jones <lamont@debian.org>
Description:
bsdutils - Basic utilities from 4.4BSD-Lite
fdisk-udeb - Partition a hard drive (manual, cfdisk)
mount - Tools for mounting and manipulating filesystems
util-linux - Miscellaneous system utilities
util-linux-locales - Locales files for util-linux
Closes: 328141 329063
Changes:
util-linux (2.12p-8) unstable; urgency=high
.
* if /etc/adjtime is a dangling symlink, don't use it in hwclock*.sh
* Applited patch by Max Vozeler to fix a local privilege escalation
vulnerability in umount -r [debian/patches/51security_CAN-2005-2876.dpatch]
Closes: #328141, #329063
Files:
05dc3e83e483b500a188941d4ec58ca0 700 base required util-linux_2.12p-8.dsc
262121de89e4a4d5da64a9a3043978a9 66258 base required bsdutils_2.12p-8_i386.deb
9ae6656ec71c88fd133b065491ab5079 76281 base required util-linux_2.12p-8.diff.gz
a7c20de195c91631b873ee77745f66f2 140396 base required mount_2.12p-8_i386.deb
d415a1a9db5caa576f2b674183aba292 369144 base required util-linux_2.12p-8_i386.deb
f07516de7a286e0d396aa9dafa95fc3b 1072692 utils optional util-linux-locales_2.12p-8_all.deb
f28485490ec5b6208c4850bdec4d2fc0 537254 debian-installer extra fdisk-udeb_2.12p-8_i386.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDMXGRzN/kmwoKyScRAsj5AJ0dhwzeGrFvt4qByplpRYb8Sq1QiwCdEvAy
QDMHhcsAA129GQwDOx8gJBQ=
=M26d
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#328141; Package mount.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>.
(full text, mbox, link).
Message #38 received at 328141@bugs.debian.org (full text, mbox, reply):
Dear Debian Security,
Quoting from http://www.debian.org/security/ :
Debian takes security very seriously. Most security problems
brought to our attention are corrected within 48 hours.
Can we please have a DSA for this problem?
Thanks,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#328141; Package mount.
(full text, mbox, link).
Acknowledgement sent to "James Bagley Jr." <james@thelostnet.net>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>.
(full text, mbox, link).
Message #43 received at 328141@bugs.debian.org (full text, mbox, reply):
Package: mount
Version: 2.12p-4
File: /bin/umount
I run a server with / mounted ro. When maintenance is required on / then
I have to remount it rw, perform whatever operation is required and then
remount / ro. After installing the new util-linux and mount packages I
cannot do this. I get:
# mount / -o remount,ro
mount: / is busy
#
This worked flawlessly until updating these packages.
James Bagley Jr
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 08:29:53 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Stefano Zacchiroli <zack@debian.org>
to control@bugs.debian.org.
(Sun, 10 Apr 2011 08:47:10 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 09 May 2011 07:40:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Oct 11 12:08:28 2017;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.