Gentoo Archives: gentoo-announce

From: Mikle Kolyada <zlogene@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201405-01 ] udisks: Arbitrary code execution
Date: Fri, 02 May 2014 06:56:24
Message-Id: 53634234.6000207@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201405-01
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: udisks: Arbitrary code execution
9 Date: May 02, 2014
10 Bugs: #504100
11 ID: 201405-01
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A stack-based buffer overflow vulnerability has been found in udisks,
19 allowing a local attacker to possibly execute arbitrary code or cause
20 Denial of Service.
21
22 Background
23 ==========
24
25 udisks is an abstraction for enumerating block devices and performing
26 operations on them.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 sys-fs/udisks < 2.1.3 *>= 1.0.5
35 >= 2.1.3
36
37 Description
38 ===========
39
40 A stack-based buffer overflow can be triggered when udisks is given a
41 long path name as a mount point.
42
43 Impact
44 ======
45
46 A local attacker could possibly execute arbitrary code with the
47 privileges of the process or cause a Denial of Service condition.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All udisks 1.0 users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=sys-fs/udisks-1.0.5:0"
61
62 All udisks 2.0 users should upgrade to the latest version:
63
64 # emerge --sync
65 # emerge --ask --oneshot --verbose ">=sys-fs/udisks-2.1.3"
66
67 References
68 ==========
69
70 [ 1 ] CVE-2014-0004
71 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0004
72
73 Availability
74 ============
75
76 This GLSA and any updates to it are available for viewing at
77 the Gentoo Security Website:
78
79 http://security.gentoo.org/glsa/glsa-201405-01.xml
80
81 Concerns?
82 =========
83
84 Security is a primary focus of Gentoo Linux and ensuring the
85 confidentiality and security of our users' machines is of utmost
86 importance to us. Any security concerns should be addressed to
87 security@g.o or alternatively, you may file a bug at
88 https://bugs.gentoo.org.
89
90 License
91 =======
92
93 Copyright 2014 Gentoo Foundation, Inc; referenced text
94 belongs to its owner(s).
95
96 The contents of this document are licensed under the
97 Creative Commons - Attribution / Share Alike license.
98
99 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature