PR#10: Verify that mount didn't fail, fix CVE-2017-7496 - arm-image-installer

arm-image-installer

#10 Verify that mount didn't fail, fix CVE-2017-7496

Merged 6 years ago by pbrobinson. Opened 6 years ago by misc.

misc/arm-image-installer fix-CVE-2017-7496 into master

Verify that mount didn't fail, fix CVE-2017-7496

Michael Scherer • 6 years ago

189ccc3

arm-image-installer

file modified

		`@@ -301,7 +301,16 @@`
		`# make temp mount points`
		`mkdir /tmp/{boot,root} &> /dev/null`
		`mount "$BOOTPART" /tmp/boot &> /dev/null`
		`+ if [ $? -ne 0 ]; then`
		`+ echo "Error: mount $BOOTPART /tmp/boot failed"`
		`+ exit 1`
		`+ fi`
		`+`
		`mount "$ROOTPART" /tmp/root &> /dev/null`
		`+ if [ $? -ne 0 ]; then`
		`+ echo "Error: mount $ROOTPART /tmp/root failed"`
		`+ exit 1`
		`+ fi`

		`# turn off selinux`
		`if [ "$SELINUX" != "" ] ; then`

misc commented 6 years ago

Since /tmp is world writable, and we do not verify the return code
of mount (or mkdir), a local attacker could precreate /tmp/boot
and /tmp/root directories in a way that mount fail, and later
add symlink to fool the script. For example /tmp/root/etc/ pointing to
/etc , which in turn will make this sed call

sed -i 's/root:x:/root::/' /tmp/root/etc/passwd

modify the real /etc/password file (since the tool is running
as root, SELinux policies are most likely bypasswed, and the symlink
protection in /tmp wouldn't be applicable if the symlink is directory).

Metadata

Assignee

None

Tags

No Tags

Changes Summary 1

+9 -0

file changed

arm-image-installer

arm-image-installer

Source Code

#10 Verify that mount didn't fail, fix CVE-2017-7496 Merged 6 years ago by pbrobinson. Opened 6 years ago by misc. misc/arm-image-installer fix-CVE-2017-7496 into master

Metadata

Changes Summary 1

#10 Verify that mount didn't fail, fix CVE-2017-7496

Merged 6 years ago by pbrobinson. Opened 6 years ago by misc.

misc/arm-image-installer fix-CVE-2017-7496 into master