Alerts This Week
Warning Icon 1 637
Alerts This Week
Warning Icon 1 637

Red Hat Enterprise Linux 7 RHSA-2016:2605-02 Low Risk Util-Linux DoS Issue

Calendar Nov 03, 2016 User Avatar LinuxSecurity Advisories
6 - 11 min read
Redhat Large Esm H500
Topics%20covered

Topics Covered

security advisory denial of service util-linux red hat enterprise system utilities low risk
An update for util-linux is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

====================================================================                   Red Hat Security Advisory

Synopsis:          Low: util-linux security, bug fix, and enhancement update
Advisory ID:       RHSA-2016:2605-02
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2016:2605.html
Issue date:        2016-11-03
CVE Names:         CVE-2016-5011 
====================================================================
1. Summary:

An update for util-linux is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The util-linux packages contain a large variety of low-level system
utilities that are necessary for a Linux system to function. Among others,
these include the fdisk configuration tool and the login program.

Security Fix(es):

* It was found that util-linux's libblkid library did not properly handle
Extended Boot Record (EBR) partitions when reading MS-DOS partition tables.
An attacker with physical USB access to a protected machine could insert a
storage device with a specially crafted partition table that could, for
example, trigger an infinite loop in systemd-udevd, resulting in a denial
of service on that machine. (CVE-2016-5011)

Red Hat would like to thank Michael Gruhn for reporting this issue.
Upstream acknowledges Christian Moch as the original reporter.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1007734 - blkid shows devices as /dev/block/$MAJOR:$MINOR
1029385 - lack of non-ascii support
1248003 - mount only parses = lines from fstab fs_spec field available from blkid block device
1271850 - mount -a doesn't catch a typo in /etc/fstab and a typo in /etc/fstab can make a system not reboot properly
1290689 - util-linux: /bin/login does not retry getpwnam_r with larger buffers, leading to login failure
1291554 - lslogins crash when executed with buggy username
1296366 - Bash completion for more(1) handles file names with spaces incorrectly
1296521 - RHEL7: update audit event in hwclock
1301091 - [libblkid] Failed to get offset of the xfs_external_log signature
1304426 - [rfe] /bin/su should be improved to reduce stack use
1327886 - Backport blkdiscard's "-z" flag to RHEL
1335671 - extra quotes around UUID confuses findfs in RHEL (but not in Fedora)
1344482 - util-linux fails valid_pmbr() size checks if device is > 2.14TB, Device label type: dos instead of gpt
1349536 - Extended partition loop in MBR partition table leads to DOS
1349741 - CVE-2016-5011 util-linux: Extended partition loop in MBR partition table leads to DOS

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
util-linux-2.23.2-33.el7.src.rpm

x86_64:
libblkid-2.23.2-33.el7.i686.rpm
libblkid-2.23.2-33.el7.x86_64.rpm
libmount-2.23.2-33.el7.i686.rpm
libmount-2.23.2-33.el7.x86_64.rpm
libuuid-2.23.2-33.el7.i686.rpm
libuuid-2.23.2-33.el7.x86_64.rpm
util-linux-2.23.2-33.el7.x86_64.rpm
util-linux-debuginfo-2.23.2-33.el7.i686.rpm
util-linux-debuginfo-2.23.2-33.el7.x86_64.rpm
uuidd-2.23.2-33.el7.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
libblkid-devel-2.23.2-33.el7.i686.rpm
libblkid-devel-2.23.2-33.el7.x86_64.rpm
libmount-devel-2.23.2-33.el7.i686.rpm
libmount-devel-2.23.2-33.el7.x86_64.rpm
libuuid-devel-2.23.2-33.el7.i686.rpm
libuuid-devel-2.23.2-33.el7.x86_64.rpm
util-linux-debuginfo-2.23.2-33.el7.i686.rpm
util-linux-debuginfo-2.23.2-33.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
util-linux-2.23.2-33.el7.src.rpm

x86_64:
libblkid-2.23.2-33.el7.i686.rpm
libblkid-2.23.2-33.el7.x86_64.rpm
libmount-2.23.2-33.el7.i686.rpm
libmount-2.23.2-33.el7.x86_64.rpm
libuuid-2.23.2-33.el7.i686.rpm
libuuid-2.23.2-33.el7.x86_64.rpm
util-linux-2.23.2-33.el7.i686.rpm
util-linux-2.23.2-33.el7.x86_64.rpm
util-linux-debuginfo-2.23.2-33.el7.i686.rpm
util-linux-debuginfo-2.23.2-33.el7.x86_64.rpm
uuidd-2.23.2-33.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
libblkid-devel-2.23.2-33.el7.i686.rpm
libblkid-devel-2.23.2-33.el7.x86_64.rpm
libmount-devel-2.23.2-33.el7.i686.rpm
libmount-devel-2.23.2-33.el7.x86_64.rpm
libuuid-devel-2.23.2-33.el7.i686.rpm
libuuid-devel-2.23.2-33.el7.x86_64.rpm
util-linux-debuginfo-2.23.2-33.el7.i686.rpm
util-linux-debuginfo-2.23.2-33.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
util-linux-2.23.2-33.el7.src.rpm

aarch64:
libblkid-2.23.2-33.el7.aarch64.rpm
libblkid-devel-2.23.2-33.el7.aarch64.rpm
libmount-2.23.2-33.el7.aarch64.rpm
libuuid-2.23.2-33.el7.aarch64.rpm
libuuid-devel-2.23.2-33.el7.aarch64.rpm
util-linux-2.23.2-33.el7.aarch64.rpm
util-linux-debuginfo-2.23.2-33.el7.aarch64.rpm
uuidd-2.23.2-33.el7.aarch64.rpm

ppc64:
libblkid-2.23.2-33.el7.ppc.rpm
libblkid-2.23.2-33.el7.ppc64.rpm
libblkid-devel-2.23.2-33.el7.ppc.rpm
libblkid-devel-2.23.2-33.el7.ppc64.rpm
libmount-2.23.2-33.el7.ppc.rpm
libmount-2.23.2-33.el7.ppc64.rpm
libuuid-2.23.2-33.el7.ppc.rpm
libuuid-2.23.2-33.el7.ppc64.rpm
libuuid-devel-2.23.2-33.el7.ppc.rpm
libuuid-devel-2.23.2-33.el7.ppc64.rpm
util-linux-2.23.2-33.el7.ppc.rpm
util-linux-2.23.2-33.el7.ppc64.rpm
util-linux-debuginfo-2.23.2-33.el7.ppc.rpm
util-linux-debuginfo-2.23.2-33.el7.ppc64.rpm
uuidd-2.23.2-33.el7.ppc64.rpm

ppc64le:
libblkid-2.23.2-33.el7.ppc64le.rpm
libblkid-devel-2.23.2-33.el7.ppc64le.rpm
libmount-2.23.2-33.el7.ppc64le.rpm
libuuid-2.23.2-33.el7.ppc64le.rpm
libuuid-devel-2.23.2-33.el7.ppc64le.rpm
util-linux-2.23.2-33.el7.ppc64le.rpm
util-linux-debuginfo-2.23.2-33.el7.ppc64le.rpm
uuidd-2.23.2-33.el7.ppc64le.rpm

s390x:
libblkid-2.23.2-33.el7.s390.rpm
libblkid-2.23.2-33.el7.s390x.rpm
libblkid-devel-2.23.2-33.el7.s390.rpm
libblkid-devel-2.23.2-33.el7.s390x.rpm
libmount-2.23.2-33.el7.s390.rpm
libmount-2.23.2-33.el7.s390x.rpm
libuuid-2.23.2-33.el7.s390.rpm
libuuid-2.23.2-33.el7.s390x.rpm
libuuid-devel-2.23.2-33.el7.s390.rpm
libuuid-devel-2.23.2-33.el7.s390x.rpm
util-linux-2.23.2-33.el7.s390.rpm
util-linux-2.23.2-33.el7.s390x.rpm
util-linux-debuginfo-2.23.2-33.el7.s390.rpm
util-linux-debuginfo-2.23.2-33.el7.s390x.rpm
uuidd-2.23.2-33.el7.s390x.rpm

x86_64:
libblkid-2.23.2-33.el7.i686.rpm
libblkid-2.23.2-33.el7.x86_64.rpm
libblkid-devel-2.23.2-33.el7.i686.rpm
libblkid-devel-2.23.2-33.el7.x86_64.rpm
libmount-2.23.2-33.el7.i686.rpm
libmount-2.23.2-33.el7.x86_64.rpm
libuuid-2.23.2-33.el7.i686.rpm
libuuid-2.23.2-33.el7.x86_64.rpm
libuuid-devel-2.23.2-33.el7.i686.rpm
libuuid-devel-2.23.2-33.el7.x86_64.rpm
util-linux-2.23.2-33.el7.i686.rpm
util-linux-2.23.2-33.el7.x86_64.rpm
util-linux-debuginfo-2.23.2-33.el7.i686.rpm
util-linux-debuginfo-2.23.2-33.el7.x86_64.rpm
uuidd-2.23.2-33.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

aarch64:
libmount-devel-2.23.2-33.el7.aarch64.rpm
util-linux-debuginfo-2.23.2-33.el7.aarch64.rpm

ppc64:
libmount-devel-2.23.2-33.el7.ppc.rpm
libmount-devel-2.23.2-33.el7.ppc64.rpm
util-linux-debuginfo-2.23.2-33.el7.ppc.rpm
util-linux-debuginfo-2.23.2-33.el7.ppc64.rpm

ppc64le:
libmount-devel-2.23.2-33.el7.ppc64le.rpm
util-linux-debuginfo-2.23.2-33.el7.ppc64le.rpm

s390x:
libmount-devel-2.23.2-33.el7.s390.rpm
libmount-devel-2.23.2-33.el7.s390x.rpm
util-linux-debuginfo-2.23.2-33.el7.s390.rpm
util-linux-debuginfo-2.23.2-33.el7.s390x.rpm

x86_64:
libmount-devel-2.23.2-33.el7.i686.rpm
libmount-devel-2.23.2-33.el7.x86_64.rpm
util-linux-debuginfo-2.23.2-33.el7.i686.rpm
util-linux-debuginfo-2.23.2-33.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
util-linux-2.23.2-33.el7.src.rpm

x86_64:
libblkid-2.23.2-33.el7.i686.rpm
libblkid-2.23.2-33.el7.x86_64.rpm
libblkid-devel-2.23.2-33.el7.i686.rpm
libblkid-devel-2.23.2-33.el7.x86_64.rpm
libmount-2.23.2-33.el7.i686.rpm
libmount-2.23.2-33.el7.x86_64.rpm
libuuid-2.23.2-33.el7.i686.rpm
libuuid-2.23.2-33.el7.x86_64.rpm
libuuid-devel-2.23.2-33.el7.i686.rpm
libuuid-devel-2.23.2-33.el7.x86_64.rpm
util-linux-2.23.2-33.el7.i686.rpm
util-linux-2.23.2-33.el7.x86_64.rpm
util-linux-debuginfo-2.23.2-33.el7.i686.rpm
util-linux-debuginfo-2.23.2-33.el7.x86_64.rpm
uuidd-2.23.2-33.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
libmount-devel-2.23.2-33.el7.i686.rpm
libmount-devel-2.23.2-33.el7.x86_64.rpm
util-linux-debuginfo-2.23.2-33.el7.i686.rpm
util-linux-debuginfo-2.23.2-33.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key

7. References:

https://access.redhat.com/security/cve/CVE-2016-5011
https://access.redhat.com/security/updates/classification#low
https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/index.html

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYGv2cXlSAg2UNWIIRAp+JAJ955gZCCvcoWkTjA+fTL4gipWn5JACgxRhc
GQN8GLnlKZIjTiThhNyMtx0=Y+JX
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.

Red Hat Enterprise Linux 7 RHSA-2016:2605-02 Low Risk Util-Linux DoS Issue

red hat
Calendar Grey November 3, 2016
Dist Redhat Esm H88
A critical patch for util-linux within Red Hat Enterprise Linux has been released to mitigate possible security vulnerabilities and resolve existing issues.
An update for util-linux is now available for Red Hat Enterprise Linux 7

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program.
Security Fix(es):
* It was found that util-linux's libblkid library did not properly handle Extended Boot Record (EBR) partitions when reading MS-DOS partition tables. An attacker with physical USB access to a protected machine could insert a storage device with a specially crafted partition table that could, for example, trigger an infinite loop in systemd-udevd, resulting in a denial of service on that machine. (CVE-2016-5011)
Red Hat would like to thank Michael Gruhn for reporting this issue. Upstream acknowledges Christian Moch as the original reporter.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

Topics%20covered

Topics Covered

security advisory denial of service util-linux red hat enterprise system utilities low risk

References

https://access.redhat.com/security/cve/CVE-2016-5011 https://access.redhat.com/security/updates/classification#low https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/index.html

Package List

Red Hat Enterprise Linux Client (v. 7):
Source: util-linux-2.23.2-33.el7.src.rpm
x86_64: libblkid-2.23.2-33.el7.i686.rpm libblkid-2.23.2-33.el7.x86_64.rpm libmount-2.23.2-33.el7.i686.rpm libmount-2.23.2-33.el7.x86_64.rpm libuuid-2.23.2-33.el7.i686.rpm libuuid-2.23.2-33.el7.x86_64.rpm util-linux-2.23.2-33.el7.x86_64.rpm util-linux-debuginfo-2.23.2-33.el7.i686.rpm util-linux-debuginfo-2.23.2-33.el7.x86_64.rpm uuidd-2.23.2-33.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: libblkid-devel-2.23.2-33.el7.i686.rpm libblkid-devel-2.23.2-33.el7.x86_64.rpm libmount-devel-2.23.2-33.el7.i686.rpm libmount-devel-2.23.2-33.el7.x86_64.rpm libuuid-devel-2.23.2-33.el7.i686.rpm libuuid-devel-2.23.2-33.el7.x86_64.rpm util-linux-debuginfo-2.23.2-33.el7.i686.rpm util-linux-debuginfo-2.23.2-33.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: util-linux-2.23.2-33.el7.src.rpm
x86_64: libblkid-2.23.2-33.el7.i686.rpm libblkid-2.23.2-33.el7.x86_64.rpm libmount-2.23.2-33.el7.i686.rpm libmount-2.23.2-33.el7.x86_64.rpm libuuid-2.23.2-33.el7.i686.rpm libuuid-2.23.2-33.el7.x86_64.rpm util-linux-2.23.2-33.el7.i686.rpm util-linux-2.23.2-33.el7.x86_64.rpm util-linux-debuginfo-2.23.2-33.el7.i686.rpm util-linux-debuginfo-2.23.2-33.el7.x86_64.rpm

Read the Full Advisory


Severity
low
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2016:2605-02
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2016:2605.html
Issue date: 2016-11-03

Topic

An update for util-linux is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory denial of service util-linux red hat enterprise system utilities low risk

Relevant Releases Architectures

Red Hat Enterprise Linux Client (v. 7) - x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

Bugs Fixed

1007734 - blkid shows devices as /dev/block/$MAJOR:$MINOR

1029385 - lack of non-ascii support

1248003 - mount only parses = lines from fstab fs_spec field available from blkid block device

1271850 - mount -a doesn't catch a typo in /etc/fstab and a typo in /etc/fstab can make a system not reboot properly

1290689 - util-linux: /bin/login does not retry getpwnam_r with larger buffers, leading to login failure

1291554 - lslogins crash when executed with buggy username

1296366 - Bash completion for more(1) handles file names with spaces incorrectly

1296521 - RHEL7: update audit event in hwclock

1301091 - [libblkid] Failed to get offset of the xfs_external_log signature

1304426 - [rfe] /bin/su should be improved to reduce stack use

1327886 - Backport blkdiscard's "-z" flag to RHEL

1335671 - extra quotes around UUID confuses findfs in RHEL (but not in Fedora)

1344482 - util-linux fails valid_pmbr() size checks if device is > 2.14TB, Device label type: dos instead of gpt

1349536 - Extended partition loop in MBR partition table leads to DOS

1349741 - CVE-2016-5011 util-linux: Extended partition loop in MBR partition table leads to DOS

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here