Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

udisks: Arbitrary code execution — GLSA 201405-01

A stack-based buffer overflow vulnerability has been found in udisks, allowing a local attacker to possibly execute arbitrary code or cause Denial of Service.

Affected packages

Package sys-fs/udisks on all architectures
Affected versions < 2.1.3
Unaffected versions revision >= 1.0.5
>= 2.1.3

Background

udisks is an abstraction for enumerating block devices and performing operations on them.

Description

A stack-based buffer overflow can be triggered when udisks is given a long path name as a mount point.

Impact

A local attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All udisks 1.0 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-fs/udisks-1.0.5:0"

All udisks 2.0 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-fs/udisks-2.1.3"

References

Release date
May 02, 2014

Latest revision
May 02, 2014: 1

Severity
normal

Exploitable
local

Bugzilla entries