[Secure-testing-team] Bug#771274: util-linux: CVE-2014-9114: command injection flaw in blkid
Salvatore Bonaccorso
carnil at debian.org
Fri Nov 28 06:35:33 UTC 2014
Source: util-linux
Version: 2.25.2-3
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for util-linux.
CVE-2014-9114[0]:
blkid command injection
I'm a bit undecided about the severity, so have choosen grave for now,
but important might be more appropriate. Feel free to downgrade if you
disagree: I checked what might be calling blkid -o udev directly as
root in a Debian package:
http://codesearch.debian.net/search?q=blkid+-o+udev Most seem to call
blkid also with -p so not using the cache. OTOH, there is e.g.
grml-debootstrap which calls it this way, but should be safe as it is
called after creating a filesystem on the $TARGET.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-9114
[1] http://www.openwall.com/lists/oss-security/2014/11/26/13
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1168485
[3] https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list