CLD-317 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-7738 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) util-linux
Deficiency Type SECURITY
Date Created 2018-03-07 10:26:33
Date Last Modified 2018-03-07 11:16:09

Version Specific Information:

Cucumber 1.0 i686 not affected
Cucumber 1.0 x86_64 not affected

Cucumber 1.1 i686 not affected
Cucumber 1.1 x86_64 not affected

Details:

=================================== Overview ===================================

In util-linux before 2.32-rc1, bash-completion/umount allows local users to
gain privileges by embedding shell commands in a mountpoint name, which is
mishandled during a umount command (within Bash) by a different user, as
demonstrated by logging in as root and entering umount followed by a tab
character for autocompletion. 

================================= Our Analysis =================================

----- Affected Products -----
This vulnerability was introduced in version 2.28 of util-linux (when the umount
bash completion was added). Cucumber Linux 1.0 and 1.1 are both unaffected as
they use version 2.27.1 of util-linux.

================================= Our Solution =================================

Not affected; no action necessary.