CVE 2022-41973
multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.
Related bugs and status
CVE-2022-41973 (Candidate) is related to these bugs:
Bug #1961633: Consider dropping d/p/kpartx-Improve-finding-loopback-device-by-file.patch
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1961633 | Consider dropping d/p/kpartx-Improve-finding-loopback-device-by-file.patch | multipath-tools (Ubuntu) | Medium | Fix Released | ||
Bug #2000186: update fails on cloud server (invoke-rc.d restart failed) when using an unsupported kernel
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 2000186 | update fails on cloud server (invoke-rc.d restart failed) when using an unsupported kernel | multipath-tools (Ubuntu) | Undecided | Fix Released | ||
| 2000186 | update fails on cloud server (invoke-rc.d restart failed) when using an unsupported kernel | multipath-tools (Ubuntu Focal) | High | Fix Released | ||
| 2000186 | update fails on cloud server (invoke-rc.d restart failed) when using an unsupported kernel | multipath-tools (Ubuntu Jammy) | High | Fix Released | ||
| 2000186 | update fails on cloud server (invoke-rc.d restart failed) when using an unsupported kernel | multipath-tools (Ubuntu Kinetic) | High | Won't Fix | ||
| 2000186 | update fails on cloud server (invoke-rc.d restart failed) when using an unsupported kernel | multipath-tools (Ubuntu Lunar) | Undecided | Fix Released | ||
Bug #2018051: Merge multipath-tools from Debian unstable for mantic
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 2018051 | Merge multipath-tools from Debian unstable for mantic | multipath-tools (Ubuntu) | High | Fix Released | ||
Bug #2020720: [Debian] CVE: CVE-2022-41973/CVE-2022-41974: multipath-tools: multiple CVEs
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 2020720 | [Debian] CVE: CVE-2022-41973/CVE-2022-41974: multipath-tools: multiple CVEs | StarlingX | High | Fix Released | ||
Bug #2026881: mpathpersist scsi3 pgr broken
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 2026881 | mpathpersist scsi3 pgr broken | multipath-tools (Ubuntu) | Undecided | Fix Released | ||
| 2026881 | mpathpersist scsi3 pgr broken | multipath-tools (Ubuntu Jammy) | Undecided | Fix Released | ||
| 2026881 | mpathpersist scsi3 pgr broken | multipath-tools (Ubuntu Mantic) | Undecided | Fix Released | ||
| 2026881 | mpathpersist scsi3 pgr broken | multipath-tools (Ubuntu Lunar) | Undecided | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
