Bug 653900

Summary: VUL-0: udisks DBUS root service allows to load arbitrary LKM
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: GeneralAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:11.3:40480
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Deadline: 2011-03-03   

Description Sebastian Krahmer 2010-11-16 10:58:39 UTC 
need to have a look :(
Comment 1 Sebastian Krahmer 2010-12-06 09:39:45 UTC 
Arbitrary LKMs from /lib/modules can be loaded

via 

dbus-send --system --print-reply --dest=org.freedesktop.UDisks          \
                   /org/freedesktop/UDisks/devices/sr0                  \
                   org.freedesktop.UDisks.Device.FilesystemMount        \
                   string:'$VULNERABLE_LKM' array:string:''

as this will trigger a mount -t $VULNERABLE_LKM which triggers
a modprobe -q -- $VULNERABLE_LKM.
Additionally it could be used to mount pseudo FS like proc
to arbitrary place inside /media
Comment 2 Thomas Biege 2011-02-24 11:54:46 UTC 
CVE-2010-4661: CVSS v2 Base Score: 4.6 (low) (AV:L/AC:L/Au:N/C:P/I:P/A:P): unknown (unknown)
Comment 3 Thomas Biege 2011-02-24 11:55:32 UTC 
public now
Comment 4 Swamp Workflow Management 2011-02-24 11:56:57 UTC 
The SWAMPID for this issue is 38943.
This issue was rated as important.
Please submit fixed packages until 2011-03-03.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 5 Thomas Biege 2011-02-24 11:58:52 UTC 
Kay, please take over. Thanks.
Comment 7 Kay Sievers 2011-04-26 18:56:26 UTC 
Patched 11.3 package submitted to openSUSE:11.3:Update:Test/udisks:
  https://build.opensuse.org/request/show/68439

Patched 11.4 package submitted to openSUSE:11.4:Update:Test/udisks:
  https://build.opensuse.org/request/show/68437

Factory package submitted:
  https://build.opensuse.org/request/show/68434
Comment 10 Bernhard Wiedemann 2011-04-28 11:50:22 UTC 
This is an autogenerated message for OBS integration:
This bug (653900) was mentioned in
https://build.opensuse.org/request/show/68447
Comment 11 Swamp Workflow Management 2011-04-29 08:21:36 UTC 
Update released for: udisks, udisks-debuginfo, udisks-debugsource, udisks-devel
Products:
openSUSE 11.4 (debug, i586, x86_64)
Comment 12 Swamp Workflow Management 2011-04-29 08:22:13 UTC 
Update released for: udisks, udisks-debuginfo, udisks-debugsource, udisks-devel
Products:
openSUSE 11.3 (debug, i586, x86_64)
Comment 13 Ludwig Nussel 2011-04-29 08:23:43 UTC 
released