[Bug 1022999] New: VUL-0: CVE-2017-0358: ntfs-3g: modprobe influence vulnerability via environment variables
http://bugzilla.opensuse.org/show_bug.cgi?id=1022999 Bug ID: 1022999 Summary: VUL-0: CVE-2017-0358: ntfs-3g: modprobe influence vulnerability via environment variables Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/259 ============================================== Hi, Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write NTFS driver for FUSE does not not scrub the environment before executing modprobe to load the fuse module. This influence the behavior of modprobe (MODPROBE_OPTIONS environment variable, --config and --dirname options) potentially allowing for local root privilege escalation if ntfs-3g is installed setuid. This is the case for Debian, Ubuntu and probably Gentoo. This problem is in the source since 2008, maybe before. The fix is easy, use execle instead of execl and pass NULL as environment variables. -- cut -- --- ntfs-3g/src/lowntfs-3g.c.ref 2016-12-31 08:56:59.011749600 +0100 +++ ntfs-3g/src/lowntfs-3g.c 2017-01-05 14:41:52.041473700 +0100 @@ -4291,13 +4291,14 @@ struct stat st; pid_t pid; const char *cmd = "/sbin/modprobe"; + char *env = (char*)NULL; struct timespec req = { 0, 100000000 }; /* 100 msec */ fuse_fstype fstype; if (!stat(cmd, &st) && !geteuid()) { pid = fork(); if (!pid) { - execl(cmd, cmd, "fuse", NULL); + execle(cmd, cmd, "fuse", NULL, &env); _exit(1); } else if (pid != -1) waitpid(pid, NULL, 0); --- ntfs-3g/src/ntfs-3g.c.ref 2016-12-31 08:56:59.022518700 +0100 +++ ntfs-3g/src/ntfs-3g.c 2017-01-05 15:45:45.912499400 +0100 @@ -3885,13 +3885,14 @@ struct stat st; pid_t pid; const char *cmd = "/sbin/modprobe"; + char *env = (char*)NULL; struct timespec req = { 0, 100000000 }; /* 100 msec */ fuse_fstype fstype; if (!stat(cmd, &st) && !geteuid()) { pid = fork(); if (!pid) { - execl(cmd, cmd, "fuse", NULL); + execle(cmd, cmd, "fuse", NULL, &env); _exit(1); } else if (pid != -1) waitpid(pid, NULL, 0); -- cut -- CVE-2017-0358 is assigned to this issue by Salvatore Bonaccorso, Debian Security Team. Regards, Laszlo/GCS ============================================== https://software.opensuse.org/package/ntfs-3g TW: 2016.2.22 official repo 42.(1|2): 2013.1.13 official repo -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1022999 http://bugzilla.opensuse.org/show_bug.cgi?id=1022999#c1 --- Comment #1 from Mikhail Kasimov <mikhail.kasimov@gmail.com> --- Alias CVE-2017-0358 seems to be already taken. Please, close current report as a dup of private report, with unknown number for me. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1022999 http://bugzilla.opensuse.org/show_bug.cgi?id=1022999#c2 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |astieger@suse.com Resolution|--- |DUPLICATE --- Comment #2 from Andreas Stieger <astieger@suse.com> --- (In reply to Mikhail Kasimov from comment #1)
Alias CVE-2017-0358 seems to be already taken. Please, close current report as a dup of private report, with unknown number for me.
You don't really need report duplicates in this case *** This bug has been marked as a duplicate of bug 1022500 *** -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1022999 http://bugzilla.opensuse.org/show_bug.cgi?id=1022999#c3 --- Comment #3 from Mikhail Kasimov <mikhail.kasimov@gmail.com> --- (In reply to Andreas Stieger from comment #2)
(In reply to Mikhail Kasimov from comment #1)
Alias CVE-2017-0358 seems to be already taken. Please, close current report as a dup of private report, with unknown number for me.
You don't really need report duplicates in this case
*** This bug has been marked as a duplicate of bug 1022500 ***
boo doesn't display any hints, when I'm searching by CVE-num, only "Zarro Boogs found". At the same time searching on security-tracker.debian.org in SuSE section displays, that I've no access to defined CVE-num, and that can be a marker, that my report to boo is a dup. Let boo displays "You have no access to %found_CVE-num%" instead of "Zarro Boogs found" without assistance of external trackers. This will make everybody's life much easier. Thank you! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1022999 http://bugzilla.opensuse.org/show_bug.cgi?id=1022999#c4 --- Comment #4 from Andreas Stieger <astieger@suse.com> --- Accessing the CVE via alias will differ depending on whether the alias is already used ("no access") or not ("invalid alias") https://bugzilla.opensuse.org/show_bug.cgi?id=CVE-YYYY-NNNN -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1022999 http://bugzilla.opensuse.org/show_bug.cgi?id=1022999#c5 --- Comment #5 from Mikhail Kasimov <mikhail.kasimov@gmail.com> --- (In reply to Andreas Stieger from comment #4)
Accessing the CVE via alias will differ depending on whether the alias is already used ("no access") or not ("invalid alias") https://bugzilla.opensuse.org/show_bug.cgi?id=CVE-YYYY-NNNN
ok, next time (hope, soon) I'll show you how it reproduces. ;) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com