Debian Bug report logs - #576687
udisks - Exports dm table data

version graph

Package: udisks; Maintainer for udisks is Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>; Source for udisks is src:udisks.

Reported by: Bastian Blank <waldi@debian.org>

Date: Tue, 6 Apr 2010 14:42:05 UTC

Severity: critical

Tags: confirmed, fixed-upstream, security, upstream

Found in version udisks/1.0.0-1

Fixed in version udisks/1.0.1-1

Done: Martin Pitt <mpitt@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.freedesktop.org/show_bug.cgi?id=27494

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#576687; Package udisks. (Tue, 06 Apr 2010 14:42:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
New Bug report received and forwarded. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Tue, 06 Apr 2010 14:42:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: submit@bugs.debian.org
Subject: udisks - Exports dm table data
Date: Tue, 6 Apr 2010 16:36:50 +0200
Package: udisks
Version: 1.0.0-1+b1
Severity: critical

udisks exports the device-mapper table data to udev. This data includes
encryption keys.

Bastian

-- 
The face of war has never changed.  Surely it is more logical to heal
than to kill.
		-- Surak of Vulcan, "The Savage Curtain", stardate 5906.5




Added tag(s) security. Request was from Ansgar Burchardt <ansgar@43-1.org> to control@bugs.debian.org. (Tue, 06 Apr 2010 14:57:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#576687; Package udisks. (Tue, 06 Apr 2010 15:27:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Tue, 06 Apr 2010 15:27:11 GMT) Full text and rfc822 format available.

Message #12 received at 576687@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Bastian Blank <waldi@debian.org>, 576687@bugs.debian.org
Subject: Re: [Pkg-utopia-maintainers] Bug#576687: udisks - Exports dm table data
Date: Tue, 06 Apr 2010 17:03:58 +0200
[Message part 1 (text/plain, inline)]
On 06.04.2010 16:36, Bastian Blank wrote:
> Package: udisks
> Version: 1.0.0-1+b1
> Severity: critical
> 
> udisks exports the device-mapper table data to udev. This data includes
> encryption keys.

Hi Bastian,

looking at the source code of udisks-dm-export.c, I see that the following
variables are exported to udev:

UDISKS_DM_TARGETS_COUNT, UDISKS_DM_TARGETS_TYPE, UDISKS_DM_TARGETS_START,
UDISKS_DM_TARGETS_LENGTH, UDISKS_DM_TARGETS_PARAMS.

In which of those variables is the "table data" exported? I don't see anything
suspicious there.
Am I looking at the wrong place? If so, could you please explain in more detail
where the problem is.

Thanks,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#576687; Package udisks. (Tue, 06 Apr 2010 15:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Tue, 06 Apr 2010 15:42:03 GMT) Full text and rfc822 format available.

Message #17 received at 576687@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: Michael Biebl <biebl@debian.org>
Cc: 576687@bugs.debian.org
Subject: Re: [Pkg-utopia-maintainers] Bug#576687: udisks - Exports dm table data
Date: Tue, 6 Apr 2010 17:32:13 +0200
On Tue, Apr 06, 2010 at 05:03:58PM +0200, Michael Biebl wrote:
> In which of those variables is the "table data" exported? I don't see anything
> suspicious there.
> Am I looking at the wrong place? If so, could you please explain in more detail
> where the problem is.

According to the udev db, the following is exported:

| E:UDISKS_DM_TARGETS_COUNT=1
| E:UDISKS_DM_TARGETS_TYPE=crypt
| E:UDISKS_DM_TARGETS_START=0
| E:UDISKS_DM_TARGETS_LENGTH=1467585
| E:UDISKS_DM_TARGETS_PARAMS=aes-cbc-essiv:sha256\x20XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x200\x208:5\x200

UDISKS_DM_TARGETS_PARAMS includes the complete table entry, in case of
the crypt target this includes the key and iv type.

Bastian

-- 
Our way is peace.
		-- Septimus, the Son Worshiper, "Bread and Circuses",
		   stardate 4040.7.




Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#576687; Package udisks. (Tue, 06 Apr 2010 18:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Anthony DeRobertis <anthony@derobert.net>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Tue, 06 Apr 2010 18:57:07 GMT) Full text and rfc822 format available.

Message #22 received at 576687@bugs.debian.org (full text, mbox):

From: Anthony DeRobertis <anthony@derobert.net>
To: Debian Bug Tracking System <576687@bugs.debian.org>
Subject: gets written to a+r file ...
Date: Tue, 06 Apr 2010 14:21:34 -0400
Package: udisks
Version: 1.0.0-1+b1
Severity: critical

The udev data is viewable by all users by running:

	/sbin/udevadm info --query=all --name=mapper/sdb4_crypt

Not only that, it is written to a a+r file /dev/.udev/db/block:dm-1,
which is THANKFULLY on a tmpfs.

So anyone on the system who can read files can read encryption keys.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (100, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-4-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages udisks depends on:
ii  libatasmart4      0.17+git20100219-1     ATA S.M.A.R.T. reading and parsing
ii  libc6             2.10.2-6               Embedded GNU C Library: Shared lib
ii  libdbus-1-3       1.2.20-2               simple interprocess messaging syst
ii  libdbus-glib-1-2  0.84-1                 simple interprocess messaging syst
ii  libdevmapper1.02. 2:1.02.45-1            The Linux Kernel Device Mapper use
ii  libglib2.0-0      2.22.4-1               The GLib library of C routines
ii  libgudev-1.0-0    151-3                  GObject-based wrapper library for 
ii  libparted1.8-12   1.8.8.git.2009.07.19-6 The GNU Parted disk partitioning s
ii  libpolkit-backend 0.96-1                 PolicyKit backend API
ii  libpolkit-gobject 0.96-1                 PolicyKit Authorization API
ii  libsgutils2-2     1.28-2                 utilities for working with generic
ii  libudev0          151-3                  libudev shared library
ii  udev              151-3                  /dev/ and hotplug management daemo

Versions of packages udisks recommends:
ii  dosfstools                    3.0.9-1    utilities for making and checking 
ii  hdparm                        9.27-2     tune hard disk parameters for high
ii  mtools                        4.0.12-1   Tools for manipulating MSDOS files
pn  ntfs-3g                       <none>     (no description available)
pn  ntfsprogs                     <none>     (no description available)
ii  policykit-1                   0.96-1     framework for managing administrat

Versions of packages udisks suggests:
ii  cryptsetup                    2:1.1.0-2  configures encrypted block devices
ii  mdadm                         3.0.3-2    tool to administer Linux MD arrays
pn  reiserfsprogs                 <none>     (no description available)
pn  xfsprogs                      <none>     (no description available)

-- no debconf information




Set Bug forwarded-to-address to 'https://bugs.freedesktop.org/show_bug.cgi?id=27494'. Request was from Anthony DeRobertis <anthony@derobert.net> to control@bugs.debian.org. (Tue, 06 Apr 2010 22:27:10 GMT) Full text and rfc822 format available.

Added tag(s) upstream and confirmed. Request was from Martin Pitt <martin.pitt@ubuntu.com> to control@bugs.debian.org. (Wed, 07 Apr 2010 06:21:07 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream. Request was from Martin Pitt <martin.pitt@ubuntu.com> to control@bugs.debian.org. (Wed, 07 Apr 2010 06:21:09 GMT) Full text and rfc822 format available.

Reply sent to Martin Pitt <mpitt@debian.org>:
You have taken responsibility. (Fri, 09 Apr 2010 16:48:07 GMT) Full text and rfc822 format available.

Notification sent to Bastian Blank <waldi@debian.org>:
Bug acknowledged by developer. (Fri, 09 Apr 2010 16:48:07 GMT) Full text and rfc822 format available.

Message #33 received at 576687-close@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 576687-close@bugs.debian.org
Subject: Bug#576687: fixed in udisks 1.0.1-1
Date: Fri, 09 Apr 2010 16:44:47 +0000
Source: udisks
Source-Version: 1.0.1-1

We believe that the bug you reported is fixed in the latest version of
udisks, which is due to be installed in the Debian FTP archive:

devicekit-disks-doc_1.0.1-1_all.deb
  to main/u/udisks/devicekit-disks-doc_1.0.1-1_all.deb
udisks-doc_1.0.1-1_all.deb
  to main/u/udisks/udisks-doc_1.0.1-1_all.deb
udisks_1.0.1-1.diff.gz
  to main/u/udisks/udisks_1.0.1-1.diff.gz
udisks_1.0.1-1.dsc
  to main/u/udisks/udisks_1.0.1-1.dsc
udisks_1.0.1-1_amd64.deb
  to main/u/udisks/udisks_1.0.1-1_amd64.deb
udisks_1.0.1.orig.tar.gz
  to main/u/udisks/udisks_1.0.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 576687@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated udisks package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 09 Apr 2010 18:19:18 +0200
Source: udisks
Binary: udisks udisks-doc devicekit-disks-doc
Architecture: source all amd64
Version: 1.0.1-1
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Martin Pitt <mpitt@debian.org>
Description: 
 devicekit-disks-doc - transitional package to udisks-doc
 udisks     - abstraction for enumerating block devices
 udisks-doc - abstraction for enumerating block devices - documentation
Closes: 574908 576687
Changes: 
 udisks (1.0.1-1) unstable; urgency=high
 .
   Urgency high because of security bug fix.
 .
   [ Michael Biebl ]
   * Build against parted 2.2. (Closes: #574908)
   * debian/control
     - Add dependency on dbus.
 .
   [ Martin Pitt ]
   * New upstream bug fix release:
     - umount.udisks: Exit with return code 0 if the unmount succeeded.
       (LP: #541740)
     - Allow other rules (such as media-player-info) to set a more specific
       presentation icon.
     - Set multimedia-player-ipod icon for iPod media players. (LP: #540235)
     - Stop exporting DM key information. (Closes: #576687, LP: #556651,
       CVE-2010-1149)
     - Fix DM partition table detection.
     - job-drive-benchmark.c: Fix data types in error messages. (LP: #527202)
     - Hide Sony E-Book launcher partition. (LP: #546924)
     - Various test suite improvements.
Checksums-Sha1: 
 df35c23dea3820c41c4950547a04e59a1a65cd64 1700 udisks_1.0.1-1.dsc
 ad3e2a79a2638b75448116b292262cfa1e909518 714246 udisks_1.0.1.orig.tar.gz
 8febf3ba191db466ad4dd8f0da2b3cbbbc77f45d 16037 udisks_1.0.1-1.diff.gz
 35e4a3052b483c32b25b307ba7055f0b0513e52a 78290 udisks-doc_1.0.1-1_all.deb
 fd82a73d188b52e94d13f29f2d798d01b827c870 15798 devicekit-disks-doc_1.0.1-1_all.deb
 f6a8512dd7565273b46d24ae4dd341cce4266e35 241680 udisks_1.0.1-1_amd64.deb
Checksums-Sha256: 
 b428c7f69ef21f6444d6946eb7359e4587783c5ea0e5a5230e60febc04653b7f 1700 udisks_1.0.1-1.dsc
 d9bf1ab56667dfa12e99461c503736e3964cf94dd41f30a1229a0e173429b841 714246 udisks_1.0.1.orig.tar.gz
 933ab0f1c81f5ab0c42d36a809736364ffec33666af639f69a588ad12a04841a 16037 udisks_1.0.1-1.diff.gz
 aa9801d78ac8d14d0711f9003bb2eefb4981ef8af0ae37e3ba97c5c0431624a2 78290 udisks-doc_1.0.1-1_all.deb
 25aae905681b706f481b216547ae5847d00e9190126e9d1003c462adbec993ac 15798 devicekit-disks-doc_1.0.1-1_all.deb
 cb5c4f82eb4ae8200533b47eae39b0369bbf6f4e7475928ebcbd6264fdd85ef3 241680 udisks_1.0.1-1_amd64.deb
Files: 
 558ac5cc3ed285dd69272532c43148f1 1700 admin optional udisks_1.0.1-1.dsc
 3654d994eb43b80c8c2d04fe03da30c4 714246 admin optional udisks_1.0.1.orig.tar.gz
 a45af23be82895371e9ee5d68d217a88 16037 admin optional udisks_1.0.1-1.diff.gz
 bb42e5ea88e59ca5910b4f487bdb14c2 78290 doc optional udisks-doc_1.0.1-1_all.deb
 19f068e6de562619512b5d7b58572faa 15798 oldlibs optional devicekit-disks-doc_1.0.1-1_all.deb
 49e1e71c2119c94e993006f802ac03e8 241680 admin optional udisks_1.0.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAku/VYMACgkQDecnbV4Fd/K1jgCeJu+ERsuO/VQj0jHdOCZAC0Ee
UN0Anin5ARa/vgGrzVURRGEOFDzqlRVl
=2d4I
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#576687; Package udisks. (Sat, 10 Apr 2010 00:03:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sat, 10 Apr 2010 00:03:10 GMT) Full text and rfc822 format available.

Message #38 received at 576687@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: <576687@bugs.debian.org>
Subject: explanation?
Date: Fri, 09 Apr 2010 23:52:03 +0000
Hi.

What did this exactly mean? Than any normal user on the system was able to
read the cleartext dmcrypt keys?
How can udisk know of them? Shouldn't they be just in kernel memory?
What's if I use LUKS?

Thanks,
Chris.




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 14 May 2010 07:41:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 20:25:00 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.