oss-sec mailing list archives
Re: blkid command injection
From: cve-assign () mitre org
Date: Wed, 26 Nov 2014 12:16:55 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
There is a command injection inside blkid. Given an USB stick with /dev/sdb1 you can: ... ID_FS_`/tmp/foo` "" UUID=... "blkid -o udev" is often used in root context via udev or in automounters (uam-pmount) to construct key=value environment variables inside shell scripts which are then evaluated.
Use CVE-2014-9114. It seems fairly clear that "blkid -o udev" is attempting to create lines that are safe sh input. Or, more specifically, the expectation is that the lines would be directly usable. We currently don't see a reasonable alternative interpretation that blkid is simply attempting to provide output lines that accurately reflect strings found on device media, and is expecting that other components will make a security determination about each line, before using that line as sh input. Also, the blkid maintainer has apparently made other changes relating to quoting of strings found on device media: http://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit/?id=1c9885cde853a458b5abe5ce0804abc27caf4fd4 (we understand that it's not completely analogous). Finally, http://git.kernel.org/cgit/utils/util-linux/util-linux.git/tree/misc-utils/blkid.8 says 'print key="value" pairs for easy import into the udev environment' and those security determinations would probably not be considered "easy import." - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUdgo0AAoJEKllVAevmvms/vEH/Rt5DBzngbJz8CFPoomJbQyv NSK59hcK0iWcvEf62RVRfD3S1jvqSUGZeFIILujK0vOrEMbiuyyqgKUjqnarcF8W ofwEonzPQofKjaT5TmrlGjuhSCJcyM8VrD4yg4ctGfIWcr4MID6BoPUC4T2wLxq6 8z4T2dfa8FhOlCDO7WcjQGX0N72tbc9ptD5ISCo7QiPJdkX8mdlABariB5u9FTap /FoBfwlx+/R64grEqvHB7SM4DKqJLE/6OBOVuESIDeh32uIPtZ69Y+gM7t5h6H2E Tq232BVj9+uvdJsFouWxDMi/GXWeCqrcrTIa6EvuepKJ5a7LcWi/UJvswzQvsy8= =1Rws -----END PGP SIGNATURE-----
Current thread:
- blkid command injection Sebastian Krahmer (Nov 26)
- Re: blkid command injection cve-assign (Nov 26)
- Re: blkid command injection Murray McAllister (Nov 27)
- Re: blkid command injection Sebastian Krahmer (Dec 02)
- Re: blkid command injection Sebastian Krahmer (Dec 15)
- Re: blkid command injection Sebastian Krahmer (Dec 02)