From patchwork Sun Jan 30 16:25:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hauke Mehrtens X-Patchwork-Id: 1586416 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=VCmC2L4A; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=hauke-m.de header.i=@hauke-m.de header.a=rsa-sha256 header.s=MBO0001 header.b=FYMX8NMt; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4JmxWn1MKJz9s8s for ; Mon, 31 Jan 2022 03:30:45 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=dnu+bP+8+QLy/Hv/ckhZvirahyzJ+qT/vj7ctrREv+A=; b=VCmC2L4ARXimQT kOYxQ5xlaWsaRD2G3+pDPSv5KrFNLbs8BLl6sJAMn1H4HxQXTd6aUjGo2f/3ad0qNS4h3sYh93CTZ 7CmQ5LQ4g9dHM0I4+TuzBEw1cSNijZAOGYpUZbuKlGVzICH32Q4nSjzj4yBz8DGlIEg0aoE7e4qRH 6WKEgRdXjr4BJHkvH+t+lXb0msrKe+JiqAk8D1sP0XXEN41KnWp4+cdq2HrwiQJMSJO9hcncHx+nL r8Xf/6KfSNChRWbpVhrZRF/RD2L4cIn/1WDCjaFREGYNSMODFxzdEKbYfiZUWSPicI32RhfgNt/QG dVXJPSixt1i66bZnk/Ow==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nED4S-006xw4-Pp; Sun, 30 Jan 2022 16:28:57 +0000 Received: from mout-p-201.mailbox.org ([80.241.56.171]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nED1h-006xAp-DO for openwrt-devel@lists.openwrt.org; Sun, 30 Jan 2022 16:26:11 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [80.241.60.245]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4JmxQJ3pLYz9sRx; Sun, 30 Jan 2022 17:26:00 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hauke-m.de; s=MBO0001; t=1643559958; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yzS2U7fgCjnVhz+AoLyCO2hP04o2BhvUtdP5enLoqjc=; b=FYMX8NMtWkfdOg9nCgYFjVCwhGOtPPsfvYsD9z1TBi6HgS95EBOXKjcNDe/J9CQLGkYYq+ qc6tjwY41qjQJ3UHf2gFHhfYkfJOleIoZdjWTgM9R7OQ+wTizhn9gwol0QPLM4z8sOBaAd X7dEBuyw9taWJkLHhrj1WdKZ9uvI+wLtmvBwhh1UC1cK2uQ03GHEbJF6tZq62IJASncQFz ZbwwIgqwgmmXX7xz3rlXIBBsn0nIR5ZKUrN021kEjQQ4H6xSQf8l9EZa5nNWaBrgEdfARB b1CaZ6IiMwa3Y2SZjLuth/y4WvKOVFM5qk5KA5hSCBB5i7kUZSWgxrNwvTQb7A== From: Hauke Mehrtens To: openwrt-devel@lists.openwrt.org Cc: Hauke Mehrtens Subject: [PATCH 07/11] util-linux: Update to version 2.37.3 Date: Sun, 30 Jan 2022 17:25:34 +0100 Message-Id: <20220130162538.3370704-7-hauke@hauke-m.de> In-Reply-To: <20220130162538.3370704-1-hauke@hauke-m.de> References: <20220130162538.3370704-1-hauke@hauke-m.de> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220130_082605_642282_A5F1C437 X-CRM114-Status: UNSURE ( 8.86 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This release fixes two security mount(8) and umount(8) issues: CVE-2021-3996 Improper UID check in libmount allows an unprivileged user to unmount FUSE filesystems of users with similar UID. CVE-2021-3995 This issue is related to parsing the /proc/self/mountinfo file allows an unprivileged user to unmount other user's filesystems that are either world-writable themselves or mounted in a w [...] Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.171 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [80.241.56.171 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This release fixes two security mount(8) and umount(8) issues: CVE-2021-3996 Improper UID check in libmount allows an unprivileged user to unmount FUSE filesystems of users with similar UID. CVE-2021-3995 This issue is related to parsing the /proc/self/mountinfo file allows an unprivileged user to unmount other user's filesystems that are either world-writable themselves or mounted in a world-writable directory. Signed-off-by: Hauke Mehrtens --- package/utils/util-linux/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/utils/util-linux/Makefile b/package/utils/util-linux/Makefile index bf8a67f07410..1714aff95ba0 100644 --- a/package/utils/util-linux/Makefile +++ b/package/utils/util-linux/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=util-linux -PKG_VERSION:=2.37 +PKG_VERSION:=2.37.3 PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@KERNEL/linux/utils/$(PKG_NAME)/v2.37 -PKG_HASH:=bd07b7e98839e0359842110525a3032fdb8eaf3a90bedde3dd1652d32d15cce5 +PKG_HASH:=590c592e58cd6bf38519cb467af05ce6a1ab18040e3e3418f24bcfb2f55f9776 PKG_CPE_ID:=cpe:/a:kernel:util-linux PKG_LICENSE:=GPL-2.0-only