From ${URL} : Florian Weimer of the Red Hat Product Security Team, found a flaw in the way udisks and udisks2 handled long path names. A malicious, local user could use this flaw to create a specially-crafted directory structure that could lead to arbitrary code execution with the privileges of the udisks daemon (root). This issue has been assigned CVE-2014-0004. References: http://lists.freedesktop.org/archives/devkit-devel/2014-March/001568.html Patches: http://cgit.freedesktop.org/udisks/commit/?h=udisks1&id=ebf61ed8471 http://cgit.freedesktop.org/udisks/commit/?id=244967 Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1049703 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Please test and stabilize: =sys-fs/udisks-1.0.5 alpha amd64 arm ia64 ppc ppc64 sparc x86 =sys-fs/udisks-2.1.3 alpha amd64 arm ia64 ppc ppc64 sparc x86
amd64 stable
x86 stable
sparc stable
ppc stable
ia64 stable
alpha stable
arm stable
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Created a new GLSA Request Arches, Thank you for your work Maintainer(s), please drop the vulnerable version.
CVE-2014-0004 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0004): Stack-based buffer overflow in udisks before 1.0.5 and 2.x before 2.1.3 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long mount point.
Cleanup done by ssuominen.
This issue was resolved and addressed in GLSA 201405-01 at http://security.gentoo.org/glsa/glsa-201405-01.xml by GLSA coordinator Mikle Kolyada (Zlogene).