CVE-2022-41973

multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.

References

Affected packages

Debian:11 / multipath-tools

Package

Name: multipath-tools
Purl: pkg:deb/debian/multipath-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.8.5-2+deb11u1

Affected versions

0.*

0.8.5-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / multipath-tools

Package

Name: multipath-tools
Purl: pkg:deb/debian/multipath-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / multipath-tools

Package

Name: multipath-tools
Purl: pkg:deb/debian/multipath-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/opensvc/multipath-tools

Affected ranges

Type: GIT
Repo: https://github.com/opensvc/multipath-tools
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

66664cdb52f548b821b2ea28e49613c068e9375d

Fixed

66664cdb52f548b821b2ea28e49613c068e9375d

Affected versions

0.*

0.4.5

0.4.5-pre3

0.4.5-pre4

0.4.6

0.4.7

0.4.8

0.4.9

0.5.0

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.7.8

0.7.9

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.9.0

0.9.1