there is already a commit related with that https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc

bugbot adjusting priority

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-12-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59827

Please wait with the update. I am currently reviewing upstream
patches and it looks like there could be more that needs fixing.

Sent more patches to upstream, waiting for a reply from them.

Created attachment 616579 [details]
blkid overflow patch

My proposal sent upstream for the overflows.

Created attachment 617178 [details]
blkid overflow patch

New patch, fixing a twisted compare.

Thanks to upstream. There was a wrong compare. Everything should
be in place now. Please go ahead.

openSUSE (12.3, 13.1, 13.2): Created OBS maintenance request 265631.

openSUSE:Factory: Not updated, I will wait for version 2.25.3.

SLE12: Created IBS maintenance request 47646.

SLE10 and SLE11: I am now going for vacation. I'll be back on January 2nd.

If you are in hurry, please re-assign it to somebody. The best start point would be 12.3, as it backports needed modifications of void safe_print().

If not in hurry, I'll backport these patches in January.


Please confirm that all 6 versions of util-linux are still supported and need update:

https://build.suse.de/project/show/home:sbrabec:branches:OBS_Maintained:util-linux-bsc907434

that url above is somehow broken.

I looked at home:sbrabec:branches:OBS_Maintained:util-linux-bsc907434

we do NOT need (EOLed in this version)
util-linux.SUSE_SLE-11_Update_Test

we MIGHT need for LTSS:
util-linux.SUSE_SLE-10-SP4_Update_Test and 
util-linux.SUSE_SLE-11-SP2_Update_Test

(Not sure if we want a LTSS update.)


The others (10-sp3, 11-sp1, 11-sp3) are definitely needed.

URL again:

https://build.suse.de/project/show/home:sbrabec:branches:OBS_Maintained:util-linux-bsc907434

I finished backports to SUSE:SLE-11-SP3:Update:Test and SUSE:SLE-11-SP1:Update:Test. I am going to work on SUSE:SLE-10-SP3:Update:Test.

Backporting process is not trivial, so please let me know, which other repositories are requested.


Several features are not present in SUSE:SLE-11-SP1:Update:Test, so many hunks don't apply there. I believe that I did not lost any. Other parts are significantly different.

There is one specific think, that seems to have a different way to exploit and needs a different fix.

Here is the fix for Factory:

--- a/libblkid/src/probe.c
+++ b/libblkid/src/probe.c
@@ -103,6 +103,7 @@
 #include <inttypes.h>
 #include <stdint.h>
 #include <stdarg.h>
+#include <limits.h>
 
 #ifdef HAVE_LIBUUID
 # include <uuid.h>
@@ -578,6 +579,12 @@ unsigned char *blkid_probe_get_buffer(blkid_probe pr,
 			return NULL;
 		}
 
+		/* someone trying to overflow some buffers? */
+		if (len >= ULONG_MAX - sizeof(struct blkid_bufinfo)) {
+			errno = ENOMEM;
+			return NULL;
+		}
+
 		/* allocate info and space for data by why call */
 		bf = calloc(1, sizeof(struct blkid_bufinfo) + len);
 		if (!bf) {

Here is a proposed fix for a similar issue in SLE11 SP1. The place in the code is similar, the allocation purpose as well, but the way they allocate is different. I think that it could be exploited if off > 0 || len > 0 but off + len overflows and it is < 0.

Index: util-linux-ng-2.16/shlibs/blkid/src/probe.c
===================================================================
--- util-linux-ng-2.16.orig/shlibs/blkid/src/probe.c
+++ util-linux-ng-2.16/shlibs/blkid/src/probe.c
@@ -25,6 +25,7 @@
 #endif
 #include <stdint.h>
 #include <stdarg.h>
+#include <limits.h>
 
 #ifdef HAVE_LIBUUID
 # ifdef HAVE_UUID_UUID_H
@@ -207,7 +208,7 @@ unsigned char *blkid_probe_get_buffer(bl
 {
 	ssize_t ret_read = 0;
 
-	if (off < 0 || len < 0) {
+	if (off < 0 || len < 0 || off + len < 0) {
 		DBG(DEBUG_LOWPROBE,
 			printf("unexpected offset or length of buffer requested\n"));
 		return NULL;

I think the patch can go in that way.

the other overflow is not in blkid_probe_get_buffer()

Main topic of this bug is the command injection in
 util-linux-libblkid-unsafe-chars.patch


Can you backport this more easily to all the code streams?

Trying URL again with escaping:
https://build.suse.de/project/show/home:sbrabec:branches:OBS_Maintained:util-linux-%62%73%63907434

Old versions of SLE (SLE11 SP1) don't have --export in blkid, so the chances to exploit them in scripts is significantly lower.

Very old SLE versions (SLE10) don't have blkid at all, but they have mount by ID.

Should I backport fixes for SUSE:SLE-10-SP4:Update:Test and SUSE:SLE-11-SP2:Update:Test?


Regarding SLE10:

Hopefully, the code using blkid in SLE10 is dependent on external libblkid. And our packages are compiled without blkid support (at least in SLE10 SP3).

[   43s] You don't have blkid

Theere is only minor part of libblkid-like functionality without libblkid: mounting by name and UUID. As it is not exploitable by itself, I would stay away from backporting of parse_token() changes. These changes cannot be considered as fixes, they are just complementary changes to exploit-preventing save_quoted(). And these changes even cause minor change of behavior for volumes with " or \ in names.

so i think there is no need for SLES10 backports at all?


I would say leave out the LTSS updates for now (so NO backports for
SUSE:SLE-10-SP4:Update:Test and SUSE:SLE-11-SP2:Update:Test)

I just finished my review of util-linux in SLE10 SP3.


Regarding unsafe characters in blkid:

As I say in comment 14, I believe that the code is not exploitable, as there is no machine readable output.


Regarding buffer allocation overflow:

The fix from libblkid/src/partitions/gpt.c:get_gpt_header() has a valid backport to util-linux-2.12r/partx/gpt.c:alloc_read_gpt_entries():
https://build.suse.de/package/view_file/home:sbrabec:branches:OBS_Maintained:util-linux-%62%73%63907434/util-linux.SUSE_SLE-10-SP3_Update_Test/util-linux-libblkid-overflow.patch?expand=1

I was trying to find the same exploit vector like libblkid/src/probe.c:blkid_probe_get_buffer()

The code is very different there. There is no similar call, all probers are handing needed buffers by itself.
I believe that the code implementing that functionality is here:
util-linux-2.12r/mount/mount_guess_fstype.c.

As far as I see, there is only one offset that can possibly overflow:
offset = 2048 * (toc[i]->cdte_addr.lba + 16);

Hopefully, there cannot happen anything worse than passing bad offset to lseek() and reading random chunk from CD ROM.

I found no other backport-able fixes.


I just submitted the fix to IBS. It depends on you whether you want to release the fix as a security update.

Thinking about the upstream fix, I still see no way, how to safely parse blkid output in shell. According to the manual page, this should be done by -o export. But it is still dangerous:

PoC:

dd if=/dev/null of=test.img bs=1024 seek=65536
/sbin/mkfs.ext4 -L 'a uname' test.img

(/sbin/blkid -o export test.img ; echo 'echo "Label is $LABEL."') | sh

Expected output:
Label is a uname.

Current output:
Linux
Label is .

Please ignore my last comment. I tested it with an unfixed blkid. The fix escapes spaces, so everything is OK, and the string does not need quotes.

-o export is first supported in SLE11 SP3, and not supported in SLE11 SP1.

Submitted:
SLE10-SP3: Created IBS request id 48058.
SLE11-SP1: created IBS request id 48057.
SLE11-SP3: created IBS request id 48056.

Other versions were submitted in December or will not be submitted. Factory is still waiting for a new upstream version. If it will not appear in a month or so, I'll submit patches there as well.

Vulnerability matrix:

SLE10-SP3: blkid cache: N/A, blkid export: N/A, safe print: N/A, probe buffer: no, GPT table: yes

SLE11-SP1: blkid cache: N/A, blkid export: N/A, safe print: yes, probe buffer: different, GPT table: yes

SLE11-SP3: blkid cache: yes, blkid export: yes, safe print: yes, probe buffer: yes, GPT table: yes

SLE12: blkid cache: yes, blkid export: yes, safe print: yes, probe buffer: yes, GPT table: yes

openSUSE-SU-2015:0066-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 907434
CVE References: CVE-2014-9114
Sources used:
openSUSE 13.2 (src):    python-libmount-2.25.1-9.2, util-linux-2.25.1-9.1, util-linux-systemd-2.25.1-9.1
openSUSE 13.1 (src):    util-linux-2.23.2-24.1

Checked in for SLE11 SP1, SLE11 SP3 and SLE10 SP3.

As ther is no new upstream stable version with a fix yet, I backported it for Factory as well. Submitted as OBS request id 284107.

From my side everything is done.

Feel free to close the bug.

This is an autogenerated message for OBS integration:
This bug (907434) was mentioned in
https://build.opensuse.org/request/show/284107 Factory / util-linux

SUSE-SU-2015:0270-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 907434,908742
CVE References: CVE-2014-9114
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    util-linux-2.25-10.1
SUSE Linux Enterprise Software Development Kit 12 (src):    util-linux-2.25-10.1
SUSE Linux Enterprise Server 12 (src):    python-libmount-2.25-10.3, util-linux-2.25-10.1, util-linux-systemd-2.25-10.1
SUSE Linux Enterprise Desktop 12 (src):    python-libmount-2.25-10.3, util-linux-2.25-10.1, util-linux-systemd-2.25-10.1

This is an autogenerated message for OBS integration:
This bug (907434) was mentioned in
https://build.opensuse.org/request/show/285827 Factory / util-linux

This is an autogenerated message for OBS integration:
This bug (907434) was mentioned in
https://build.opensuse.org/request/show/285829 Factory / util-linux

SUSE-SU-2015:0580-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 888678,900965,901549,907434,917164,918041
CVE References: CVE-2014-9114
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    util-linux-2.19.1-6.62.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    util-linux-2.19.1-6.62.1
SUSE Linux Enterprise Server 11 SP3 (src):    util-linux-2.19.1-6.62.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    util-linux-2.19.1-6.62.1

main distros released