CVE-2022-41973

NameCVE-2022-41973
Descriptionmultipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3250-1, DSA-5366-1
Debian Bugs1022742

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
multipath-tools (PTS)bullseye (security), bullseye0.8.5-2+deb11u1fixed
bookworm0.9.4-3+deb12u1fixed
sid, trixie0.9.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
multipath-toolssourcebuster0.7.9-3+deb10u2DLA-3250-1
multipath-toolssourcebullseye0.8.5-2+deb11u1DSA-5366-1
multipath-toolssource(unstable)0.9.4-11022742

Notes

https://www.openwall.com/lists/oss-security/2022/10/24/2
https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt
Introduced by: https://github.com/opensvc/multipath-tools/commit/65d0a633e066223d361cd1a254ebdfe36a133a5c (0.7.7)
Fix included in https://github.com/opensvc/multipath-tools/pull/46
Fixed by (merge): https://github.com/opensvc/multipath-tools/commit/c4912a639b7ff527aa11d665944594926ff94a7a (0.9.2)
https://github.com/opensvc/multipath-tools/commit/f812466f68b8e020818c6454d7b7a7e278bc99f6 (0.9.2)
https://github.com/opensvc/multipath-tools/commit/d139bcf0842bc0a16beab86e1349ed65b150bf0c (0.9.2)
https://github.com/opensvc/multipath-tools/commit/2a1ff3154c1d5de423c303ca3bc9ed9727b4e523 (0.9.2)
https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f (0.9.2, CVE fix)
https://github.com/opensvc/multipath-tools/commit/994811a29332161ec150f1d9822ff460cfc0f316 (0.9.2)
The fix for CVE-2022-41973 switches to use /run instead of /dev/shm which is a backward
incompatible change (which can be overriden but leaving CVE open).

Search for package or bug name: Reporting problems