Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 266290 (CVE-2009-1185) - <sys-fs/udev-124-r2: Local root exploit (CVE-2009-{1185,1186})
Summary: <sys-fs/udev-124-r2: Local root exploit (CVE-2009-{1185,1186})
Status: RESOLVED FIXED
Alias: CVE-2009-1185
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://www.ubuntu.com/usn/usn-758-1
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-15 17:55 UTC by Lance Albertson
Modified: 2009-04-18 19:14 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
udev-124.patch (udev-124.patch,1.13 KB, patch)
2009-04-15 20:59 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lance Albertson 2009-04-15 17:55:46 UTC
Kees Cook of Ubuntu informed us that there is a nasty local root exploit that was discovered with udev recently. It appears that upgrading to sys-fs/udev-141 and rebooting should fix the problem. There is no public exploit yet but Kees suggests that it shouldn't take a skilled attacker long to write one up.

Here is the text from the link referenced:

Sebastian Krahmer discovered that udev did not correctly validate netlink message senders. A local attacker could send specially crafted messages to udev in order to gain root privileges. (CVE-2009-1185)

Sebastian Krahmer discovered a buffer overflow in the path encoding routines in udev. A local attacker could exploit this to crash udev, leading to a denial of service. (CVE-2009-1186) 


Reproducible: Always
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-04-15 18:17:38 UTC
Tweaking summary as udev-141 seems to be not affected.
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2009-04-15 19:22:30 UTC
Maintainers, what are the stabilization plans for 141?
Comment 3 Matthias Schwarzott gentoo-dev 2009-04-15 20:27:54 UTC
For now latest stable is udev-124-r1 as you can see.

There is a stable request for udev-135-r4 open, but this one is blocked by some ugly dependency of cryptsetup.
The stable cryptsetup directly calls udevsettle (which it nevertheless should not do), but this makes cryptsetup depend on old udev. Some new ~arch cryptsetup has this fixed but has other bugs, and they do not consider backporting the applied patch to stable and make a new revision to finally allow udev to move forward.

So before this is solved we also cannot stable udev-141, besides this version is only 6 days in tree.

From looking at the descriptions it should be these two commits fixing the respective issues:
http://git.kernel.org/?p=linux/hotplug/udev.git;a=commit;h=662c3110803bd8c1aedacc36788e6fd028944314
http://git.kernel.org/?p=linux/hotplug/udev.git;a=commit;h=e86a923d508c2aed371cdd958ce82489cf2ab615

So maybe it is possible to backport them, but I have not checked yet.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-04-15 20:59:12 UTC
Created attachment 188500 [details, diff]
udev-124.patch

Ubuntu backport of the patch. Please apply to our stable.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-16 08:08:21 UTC
Adjusting severity according to whiteboard.
Comment 6 Matthias Schwarzott gentoo-dev 2009-04-16 08:59:43 UTC
Added the two backported patches from ubuntu and made a ~arch udev-124-r2
ebuild to bet tested and stabled.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-16 09:08:16 UTC
Arches, please test and mark stable:
=sys-fs/udev-124-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 8 Hanno Böck gentoo-dev 2009-04-16 10:15:18 UTC
A question, as udev is a daemon (but not something one can just restart), how would one go forward on an already running system?

Is there a way to get the fix running without rebooting?

Something that should probably be mentioned in the advisory.
Comment 9 Matthias Schwarzott gentoo-dev 2009-04-16 11:29:12 UTC
(In reply to comment #8)
> A question, as udev is a daemon (but not something one can just restart), how
> would one go forward on an already running system?
> 
> Is there a way to get the fix running without rebooting?
> 
> Something that should probably be mentioned in the advisory.
> 
If you have a look at the udev ebuild: There udevd is restarted in pkg_postinst
Comment 10 Matthias Schwarzott gentoo-dev 2009-04-16 22:09:29 UTC
My additional plan is to remove all newer ~arch versions that are affected: udev-{122-r1,125-r2,130-r1,133,135,135-r1,135-r2,135-r3,135-r4,138,139,140}.ebuild

Any vetos?
That will leave us just with udev-141 that can play with openrc.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 22:15:32 UTC
(In reply to comment #10)
> My additional plan is to remove all newer ~arch versions that are affected:
> udev-{122-r1,125-r2,130-r1,133,135,135-r1,135-r2,135-r3,135-r4,138,139,140}.ebuild
> 
> Any vetos?

Please go ahead.


Also, arches. please note this is a high priority stabling.
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-17 16:23:29 UTC
CVE-2009-1185 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1185):
  udev before 1.4.1 does not verify whether a NETLINK message
  originates from kernel space, which allows local users to gain
  privileges by sending a NETLINK message from user space.

CVE-2009-1186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1186):
  Buffer overflow in the util_path_encode function in
  udev/lib/libudev-util.c in udev before 1.4.1 allows local users to
  cause a denial of service (service outage) via vectors that trigger a
  call with crafted arguments.

Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2009-04-17 18:53:24 UTC
Stable for HPPA.
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-18 08:51:03 UTC
18 Apr 2009; Tobias Heinlein (keytoaster) udev-124-r2.ebuild:
amd64 stable wrt security bug #266290
Comment 15 Markus Meier gentoo-dev 2009-04-18 11:56:41 UTC
x86 stable
Comment 16 Brent Baude (RETIRED) gentoo-dev 2009-04-18 13:34:42 UTC
ppc64 done
Comment 17 Brent Baude (RETIRED) gentoo-dev 2009-04-18 13:34:49 UTC
ppc done
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2009-04-18 17:23:05 UTC
arm/ia64/m68k/s390/sh/sparc stable
Comment 19 Tobias Klausmann (RETIRED) gentoo-dev 2009-04-18 17:51:05 UTC
Stable on alpha.
Comment 20 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-18 18:32:27 UTC
GLSA already filed, pending one approval.
Comment 21 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-18 19:14:04 UTC
GLSA 200904-18, thanks everyone for the quick reaction.