GNOME Bugzilla – Bug 740161
CVE-2014-7208 Unsafe OS command execution in GParted <= 0.14.1
Last modified: 2019-03-29 15:55:00 UTC
Curtis, this is the one we are already discussing.
This bug report is entirely incomprehensible for any outsider.
A security vulnerability has been discovered in GParted versions 0.14.1 and earlier. BACKGROUND ========== CVE-2014-7208 Unsafe OS command execution in GParted <= 0.14.1 Public announcement of the security vulnerability by Wolfgang Ettlinger, can be found at: https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm#a173 The GParted team thanks Wolfgang Ettlinger (discovery, analysis) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them. The public disclosure date was 2014-12-18. Further explanation: Gparted <= 0.14.1 does not properly sanitize strings before passing them as parameters to an OS command. Those commands are executed using root privileges. Parameters that are being used for OS commands in GParted are normally determined by the user (e.g. disk labels, mount points). However, under certain circumstances, an attacker can use an external storage to inject command parameters. These circumstances are met if for example an automounter uses a file system label as part of the mount path. Please note that GParted versions 0.15.0 and higher already contain a fix for this issue. How reproducible: Always Steps to Reproduce: 1. mkdir '/mnt/`reboot`' 2. mount /dev/sdb1 '/mnt/`reboot`' 3. /usr/sbin/gpartedbin Unmount sdb1 So a hacker can label a file system `reboot` on a USB key and automounter takes care of mounting it, typically at /media/`reboot`. Actual results: Machine reboots. Expected results: GParted unmounts file system sdb1. Two possible solutions: (In no particular order) 1) Upgrade to GParted >= 0.15.0 2) Apply patches to GParted <= 0.14.1 PATCHES ======= Two patches are required for each specific GParted version. Apply the relevant version of each patch for the required GParted release. Covers GParted 0.4.2 to 0.14.1: P1) Stop executing external commands via a shell process (#740161) Files: gparted-740161-no-shell-0.4.2..0.8.0.patch gparted-740161-no-shell-0.8.1..0.14.1.patch P2) Resolve dependencies which relied on shell execution (#740161) Files: gparted-740161-shell-dependencies-0.4.2..0.11.0.patch gparted-740161-shell-dependencies-0.12.0..0.13.1.patch gparted-740161-shell-dependencies-0.14.0.patch gparted-740161-shell-dependencies-0.14.1.patch DISTROS AFFECTED ================ Some affected distros are: Ubuntu 10.04 LTS server GParted 0.5.1 Ubuntu 12.04 LTS GParted 0.11.0 Debian 7 GParted 0.12.1 OpenSUSE 12.2 GParted 0.12.1 OpenSUSE 12.3 GParted 0.14.1 Mageia 3 GParted 0.14.1 Fedora EPEL 5 GParted 0.4.8 Fedora EPEL 6 GParted 0.6.0
Created attachment 292984 [details] [review] P1) Stop executing external commands via a shell process (#740161) - for GParted versions 0.4.2..0.8.0
Created attachment 292985 [details] [review] P1) Stop executing external commands via a shell process (#740161) - for GParted versions 0.8.1..0.14.1
Created attachment 292986 [details] [review] P2) Resolve dependencies which relied on shell execution (#740161) - for GParted versions 0.4.2..0.11.0
Created attachment 292987 [details] [review] P2) Resolve dependencies which relied on shell execution (#740161) - for GParted versions 0.12.0..0.13.1
Created attachment 292988 [details] [review] P2) Resolve dependencies which relied on shell execution (#740161) - for GParted version 0.14.0 only
Created attachment 292989 [details] [review] P2) Resolve dependencies which relied on shell execution (#740161) - for GParted version 0.14.1 only
*** Bug 671219 has been marked as a duplicate of this bug. ***
GParted news item about this from 18 December 2014: CVE-2014-7208 Unsafe OS command execution in GParted <= 0.14.1 https://gparted.org/news.php?item=184 Closing this now as it has been many years since this was resolved and the oldest currently supported distributions no longer use affected versions of GParted. Distro EOL GParted - RHEL / CentOS 6 2020-Nov [1] 0.31.0 [2] - Debian 8 2020-Jun [3] 0.19.0 [4] - Ubuntu 14.04 LTS 2019-Apr [5] 0.18.0 [6] [1] https://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux#Product_life_cycle [2] https://centos.pkgs.org/6/epel-i386/gparted-0.31.0-1.el6.i686.rpm.html [3] https://en.wikipedia.org/wiki/Debian_version_history#Release_table [4] https://packages.debian.org/jessie/gparted [5] https://en.wikipedia.org/wiki/Ubuntu_version_history#Table_of_versions [6] https://packages.ubuntu.com/trusty/gparted