Headline
CVE-2021-3996: libmount: remove support for deleted mount table entries · util-linux/util-linux@166e873
A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users’ filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.
@@ -55,7 +55,6 @@ enum { COL_ACTION, COL_AVAIL, COL_DELETED, COL_FREQ, COL_FSROOT, COL_FSTYPE, @@ -103,7 +102,6 @@ struct colinfo { static struct colinfo infos[] = { [COL_ACTION] = { "ACTION", 10, SCOLS_FL_STRICTWIDTH, N_(“action detected by --poll”) }, [COL_AVAIL] = { “AVAIL", 5, SCOLS_FL_RIGHT, N_(“filesystem size available”) }, [COL_DELETED] = { “DELETED", 1, SCOLS_FL_RIGHT, N_(“filesystem target marked as deleted”) }, [COL_FREQ] = { “FREQ", 1, SCOLS_FL_RIGHT, N_(“dump(8) period in days [fstab only]") }, [COL_FSROOT] = { “FSROOT", 0.25, SCOLS_FL_NOEXTREMES, N_(“filesystem root”) }, [COL_FSTYPE] = { “FSTYPE", 0.10, SCOLS_FL_TRUNC, N_(“filesystem type”) }, @@ -677,9 +675,6 @@ static char *get_data(struct libmnt_fs *fs, int num) if (!mnt_fs_is_kernel(fs)) xasprintf(&str, “%d", mnt_fs_get_passno(fs)); break; case COL_DELETED: str = xstrdup(mnt_fs_is_deleted(fs) ? “1” : “0”); break; default: break; } @@ -1033,9 +1028,6 @@ static int match_func(struct libmnt_fs *fs, return rc; }
if ((flags & FL_DELETED) && !mnt_fs_is_deleted(fs)) return rc;
return !rc; }
@@ -1304,7 +1296,6 @@ static void __attribute__((__noreturn__)) usage(void) fputs(_(" -b, --bytes print sizes in bytes rather than in human readable format\n”), out); fputs(_(" -C, --nocanonicalize don’t canonicalize when comparing paths\n”), out); fputs(_(" -c, --canonicalize canonicalize printed paths\n”), out); fputs(_(" --deleted print filesystems with mountpoint marked as deleted\n”), out); fputs(_(" -D, --df imitate the output of df(1)\n”), out); fputs(_(" -d, --direction <word> direction of search, ‘forward’ or 'backward’\n”), out); fputs(_(" -e, --evaluate convert tags (LABEL,UUID,PARTUUID,PARTLABEL) \n” @@ -1373,16 +1364,14 @@ int main(int argc, char *argv[]) FINDMNT_OPT_PSEUDO, FINDMNT_OPT_REAL, FINDMNT_OPT_VFS_ALL, FINDMNT_OPT_SHADOWED, FINDMNT_OPT_DELETED, FINDMNT_OPT_SHADOWED };
static const struct option longopts[] = { { "all", no_argument, NULL, ‘A’ }, { "ascii", no_argument, NULL, ‘a’ }, { "bytes", no_argument, NULL, ‘b’ }, { "canonicalize", no_argument, NULL, ‘c’ }, { "deleted", no_argument, NULL, FINDMNT_OPT_DELETED }, { "direction", required_argument, NULL, ‘d’ }, { "df", no_argument, NULL, ‘D’ }, { "evaluate", no_argument, NULL, ‘e’ }, @@ -1601,9 +1590,6 @@ int main(int argc, char *argv[]) case FINDMNT_OPT_SHADOWED: flags |= FL_SHADOWED; break; case FINDMNT_OPT_DELETED: flags |= FL_DELETED; break; case 'h’: usage(); case 'V’: @@ -1776,9 +1762,6 @@ int main(int argc, char *argv[]) case COL_TID: scols_column_set_json_type(cl, SCOLS_JSON_NUMBER); break; case COL_DELETED: scols_column_set_json_type(cl, SCOLS_JSON_BOOLEAN); break; default: if (fl & SCOLS_FL_WRAP) scols_column_set_json_type(cl, SCOLS_JSON_ARRAY_STRING);
Related news
Gentoo Linux Security Advisory 202401-8 - Multiple vulnerabilities have been discovered in util-linux which can lead to denial of service or information disclosure. Versions greater than or equal to 2.37.4 are affected.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Qualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how they exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973).