Bug 831978 (CVE-2021-3995, CVE-2021-3996)

Summary:	<sys-apps/util-linux-2.37.3: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	base-system
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.openwall.com/lists/oss-security/2022/01/24/2
See Also:	https://github.com/gentoo/gentoo/pull/23940
Whiteboard:	A3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	831980
Bug Blocks:

Description John Helmert III archtester

2022-01-24 15:03:41 UTC

URL describes two vulnerabilites whose impact is the ability for an unauthorized user to unmount.

Seemingly unreleased patches: 
https://github.com/util-linux/util-linux/commit/166e87368ae88bf31112a30e078cceae637f4cdb
https://github.com/util-linux/util-linux/commit/57202f5713afa2af20ffbb6ab5331481d0396f8d
https://github.com/util-linux/util-linux/commit/9c05f4b6bf62a20a64a8e5735c7f3dcf0229e895

Comment 1 Larry the Git Cow gentoo-dev

2022-01-24 16:02:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5f5f2e564e448f86dee8c0271152c0dc47754d4

commit d5f5f2e564e448f86dee8c0271152c0dc47754d4
Author:     Mathieu Tortuyaux <mtortuyaux@microsoft.com>
AuthorDate: 2022-01-24 15:50:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-24 15:58:29 +0000

    sys-apps/util-linux: bump to version 2.37.3
    
    Bug: https://bugs.gentoo.org/831978
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
    Closes: https://github.com/gentoo/gentoo/pull/23940
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/util-linux/Manifest                       |   1 +
 .../util-linux-2.37.3-ioctl_ns-test-hang.patch     |  37 +++
 sys-apps/util-linux/util-linux-2.37.3.ebuild       | 317 +++++++++++++++++++++
 3 files changed, 355 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2022-01-24 16:08:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a614c66095fee76fc55e9fdea5b58e9bd39ef02

commit 5a614c66095fee76fc55e9fdea5b58e9bd39ef02
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-24 16:06:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-24 16:06:17 +0000

    sys-apps/util-linux: remove duplicate patch
    
    Bug: https://bugs.gentoo.org/831978
    Signed-off-by: Sam James <sam@gentoo.org>

 .../util-linux-2.37.3-ioctl_ns-test-hang.patch     | 37 ----------------------
 sys-apps/util-linux/util-linux-2.37.3.ebuild       |  2 +-
 2 files changed, 1 insertion(+), 38 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2024-01-07 08:30:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4e42800d2202837758726b7cc0f86440487fee40

commit 4e42800d2202837758726b7cc0f86440487fee40
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-07 08:30:19 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-07 08:30:48 +0000

    [ GLSA 202401-08 ] util-linux: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/806070
    Bug: https://bugs.gentoo.org/831978
    Bug: https://bugs.gentoo.org/833365
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-08.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)