653900 – VUL-0: udisks DBUS root service allows to load arbitrary LKM

Bug 653900 - VUL-0: udisks DBUS root service allows to load arbitrary LKM

Summary: VUL-0: udisks DBUS root service allows to load arbitrary LKM

Status:	RESOLVED FIXED

Alias:	None

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Critical
Target Milestone:	---
Deadline:	2011-03-03
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:	maint:released:11.3:40480
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2010-11-16 10:58 UTC by Sebastian Krahmer
Modified:	2011-04-29 08:25 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2010-11-16 10:58:39 UTC

need to have a look :(

Comment 1 Sebastian Krahmer 2010-12-06 09:39:45 UTC

Arbitrary LKMs from /lib/modules can be loaded

via 

dbus-send --system --print-reply --dest=org.freedesktop.UDisks          \
                   /org/freedesktop/UDisks/devices/sr0                  \
                   org.freedesktop.UDisks.Device.FilesystemMount        \
                   string:'$VULNERABLE_LKM' array:string:''

as this will trigger a mount -t $VULNERABLE_LKM which triggers
a modprobe -q -- $VULNERABLE_LKM.
Additionally it could be used to mount pseudo FS like proc
to arbitrary place inside /media

Comment 2 Thomas Biege 2011-02-24 11:54:46 UTC

CVE-2010-4661: CVSS v2 Base Score: 4.6 (low) (AV:L/AC:L/Au:N/C:P/I:P/A:P): unknown (unknown)

Comment 3 Thomas Biege 2011-02-24 11:55:32 UTC

public now

Comment 4 Swamp Workflow Management 2011-02-24 11:56:57 UTC

The SWAMPID for this issue is 38943.
This issue was rated as important.
Please submit fixed packages until 2011-03-03.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 5 Thomas Biege 2011-02-24 11:58:52 UTC

Kay, please take over. Thanks.

Comment 6 Ludwig Nussel 2011-03-15 13:42:10 UTC

http://cgit.freedesktop.org/udisks/commit/?id=c933a929f07421ec747cebb24d5e620fc2b97037

Comment 7 Kay Sievers 2011-04-26 18:56:26 UTC

Patched 11.3 package submitted to openSUSE:11.3:Update:Test/udisks:
  https://build.opensuse.org/request/show/68439

Patched 11.4 package submitted to openSUSE:11.4:Update:Test/udisks:
  https://build.opensuse.org/request/show/68437

Factory package submitted:
  https://build.opensuse.org/request/show/68434

Comment 10 Bernhard Wiedemann 2011-04-28 11:50:22 UTC

This is an autogenerated message for OBS integration:
This bug (653900) was mentioned in
https://build.opensuse.org/request/show/68447

Comment 11 Swamp Workflow Management 2011-04-29 08:21:36 UTC

Update released for: udisks, udisks-debuginfo, udisks-debugsource, udisks-devel
Products:
openSUSE 11.4 (debug, i586, x86_64)

Comment 12 Swamp Workflow Management 2011-04-29 08:22:13 UTC

Update released for: udisks, udisks-debuginfo, udisks-debugsource, udisks-devel
Products:
openSUSE 11.3 (debug, i586, x86_64)

Comment 13 Ludwig Nussel 2011-04-29 08:23:43 UTC

released