Bug 562156 (CVE-2010-0547)

Summary: CVE-2010-0547 samba: mount.cifs improper device name and mountpoint strings sanitization
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: azelinka, bressers, gdeschner, jlayton, prc, ssorce, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-30 06:51:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 722551, 722552, 722553    
Bug Blocks: 721358    

Description Jan Lieskovsky 2010-02-05 13:14:48 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0547 to
the following vulnerability:

client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier
does not verify that the (1) device name and (2) mountpoint strings
are composed of valid characters, which allows local users to cause a
denial of service (mtab corruption) via a crafted string.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547

Upstream patch:
  http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054

Issue severity note:
  To local, unprivileged user would be able to exploit this
flaw (to corrupt system's /etc/mtab file), the relevant
mount.cifs utility, present on the system has to be setuid
root enabled (otherwise the attacker is NOT able to mount
custom CIFS share, thus add records to the system table of the
mounted devices). The mount.cifs utility, shipped within
samba-client package in Red Hat Enterprise Linux 4 and 5
is NOT setuid root enabled in the default configuration,
which mitigates the impact of this flaw.

Comment 1 Jan Lieskovsky 2010-02-05 13:41:15 UTC
This issue does NOT affect the version of the samba package,
as shipped with Red Hat Enterprise Linux 3.

This issue affects (but with quite limited impact) the versions
of the samba package, as shipped with Red Hat Enterprise Linux 4
and Red Hat Enterprise Linux 5.

This issue affects (but with quite limited impact) the version
of the samba3x package, as shipped with Red Hat Enterprise Linux 5
Update 4.

This issue does NOT affect the versions of the samba package,
as shipped with Fedora release of 11 and 12. Samba packages for
these two Fedora releases has been already updated:
a, samba-3.4.5-0.47.fc11 contains the relevant fix for Fedora-11
b, samba-3.4.5-55.fc12 contains the relevant fix for Fedora-12

For more information please proceed to CVE-2010-0787 Red Hat
Bugzilla record:

  [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0787

and the subsequent comments in [1]:
  i,  https://bugzilla.redhat.com/show_bug.cgi?id=532940#c26
  ii, https://bugzilla.redhat.com/show_bug.cgi?id=532940#c25

Comment 5 Tomas Hoger 2011-08-02 09:04:30 UTC
Noting some context details for posterity...  This flaw actually exposed a bug (failure to escape \n character properly) in glibc's addmntent() implementation, which got CVE-2010-0296 id assigned, see bug #559579 for details.  This flaw got addressed in both glibc and samba/cifs-utils:

- glibc added proper escaping of \n;  the issue was fixed in Red Hat Enterprise Linux 6 before the initial release, and updates were made available for Red Hat Enterprise Linux 5 (RHSA-2011:0412)

- samba/cifs-utils added a check for \n in share and directory names, causing it to print an error message and exit without trying to mount the share and update mtab in such case;  this fix was included in the cifs-utils included in the Red Hat Enterprise Linux 6 initial release, and was added to samba3x packages in Red Hat Enterprise Linux 5 as part of the rebase to version 3.5.4 (RHBA-2011:0054) in Red Hat Enterprise Linux 5.6

However, the samba/cifs-utils fix contained and error which caused mount.cifs to print error message when share or directory name with \n was encountered, but still proceed to try to mount the share and update mtab.  This could still result in mtab corruptions on systems that do not have glibc fix.  This incomplete fix issue is now tracked as CVE-2011-2724, bug #726691.

Comment 6 errata-xmlrpc 2011-08-29 17:27:51 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:1219 https://rhn.redhat.com/errata/RHSA-2011-1219.html

Comment 7 Vincent Danen 2011-08-29 19:32:57 UTC
Statement:

(none)