#10 Verify that mount didn't fail, fix CVE-2017-7496
Merged 2 years ago by pbrobinson. Opened 2 years ago by misc.
misc/arm-image-installer fix-CVE-2017-7496  into  master

file modified
+9

@@ -301,7 +301,16 @@ 

  # make temp mount points

  mkdir /tmp/{boot,root} &> /dev/null

  mount "$BOOTPART" /tmp/boot &> /dev/null

+ if [ $? -ne 0 ]; then

+         echo "Error: mount $BOOTPART /tmp/boot failed"

+         exit 1

+ fi

+ 

  mount "$ROOTPART" /tmp/root &> /dev/null

+ if [ $? -ne 0 ]; then

+         echo "Error: mount $ROOTPART /tmp/root failed"

+         exit 1

+ fi

  

  # turn off selinux

  if [ "$SELINUX" != "" ] ; then

Since /tmp is world writable, and we do not verify the return code
of mount (or mkdir), a local attacker could precreate /tmp/boot
and /tmp/root directories in a way that mount fail, and later
add symlink to fool the script. For example /tmp/root/etc/ pointing to
/etc , which in turn will make this sed call

sed -i 's/root:x:/root::/' /tmp/root/etc/passwd

modify the real /etc/password file (since the tool is running
as root, SELinux policies are most likely bypasswed, and the symlink
protection in /tmp wouldn't be applicable if the symlink is directory).

rebased

2 years ago

Pull-Request has been merged by pbrobinson

2 years ago
Metadata