udisks: Arbitrary code execution — GLSA 201405-01

A stack-based buffer overflow vulnerability has been found in udisks, allowing a local attacker to possibly execute arbitrary code or cause Denial of Service.

Affected Packages

sys-fs/udisks on all architectures
Affected versions < 2.1.3
Unaffected versions revision >= 1.0.5, >= 2.1.3

Background

udisks is an abstraction for enumerating block devices and performing operations on them.

Description

A stack-based buffer overflow can be triggered when udisks is given a long path name as a mount point.

Impact

A local attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All udisks 1.0 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-fs/udisks-1.0.5:0"
 

All udisks 2.0 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-fs/udisks-2.1.3"
 

References

Release Date
May 02, 2014

Latest Revision
May 02, 2014: 1

Severity
normal

Exploitable
local

Bugzilla entries