+++ This bug was initially created as a clone of Bug #532940 +++
Several race condition flaws were found in samba-client,
fuse and ncpfs packages:
a, Ronald Volgers found a race condition in the samba-client's
mount.cifs utility. Local, unprivileged user could use this
flaw to conduct symlink attacks, leading to disclosure of
sensitive information, or, possibly to privilege escalation.
Upstream bug report:
https://bugzilla.samba.org/show_bug.cgi?id=6853
Upstream Samba patches:
http://git.samba.org/?p=samba.git;a=commit;h=3ae5dac462c4ed0fb2cd94553583c56fce2f9d80http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054http://git.samba.org/?p=samba.git;a=commit;h=a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5
Issue severity note for Red Hat Enteprise Linux:
------------------------------------------------
The mount.cifs binary, as shipped within samba-client
package on Red Hat Enterprise Linux 4 and 5, is NOT shipped
with setuid root bit enabled by default (local, unprivileged
users on these systems are NOT able to mount custom CIFS
filesystem shares), which mitigates the impact of the vulnera-
bility.
b, Dan Rosenberg found a race condition in the FUSE's fusermount's
utility by performing FUSE filesystem(s) unmount operation (it
was not performed atomically). A local, unprivileged user
could use this flaw to cause a denial of service (unprivileged
unmount of FUSE filesystem share(s) owned by privileged user)
via symlink attack involving FUSE share(s) belonging to privileged
user.
Issue severity note for Red Hat Enterprise Linux:
-------------------------------------------------
The "fusermount" utility, as shipped within "fuse" package
in Red Hat Enterprise Linux 5 IS shipped with setuid root bit
enabled by default, but the unprivileged user to be able to
mount custom FUSE filesystem, he needs prior to be the member of
special "fuse" users group (user membership in this group is
granted by privileged user), which mitigates the impact of the
vulnerability.
c, Dan Rosenberg found race conditions in the ncpfs ncpmount
and ncpumount utilities. Local, unprivileged user could use
these flaws to conduct symlink attacks, leading to denial
of service (ncpumount), disclosure of sensitive information,
or, possibly to privilege escalation (ncpmount).
Issue severity note for Fedora:
-------------------------------
The "ncpmount and ncpumount" utilities, as shipped within
"ncpfs" package in Fedora release of 11 and 12 are NOT shipped
with setuid root bit enabled by default (unprivileged, local
users are NOT able to mount / umount custom remote NCP shares), which
mitigates the impact of the flaws.
MITRE has rejected the use of CVE-2009-3297 because it was used for samba, ncpfs, and fuse when it should only have been used for Samba.
Instead, new CVEs have been assigned as follows:
CVE-2010-0787: samba
CVE-2010-0788: ncpfs
CVE-2010-0789: fuse
This issue does affect Red Hat Enterprise Linux 5 because it does ship
fusermount suid root, however the impact of this flaw is minimized due to the
fact that only members in group 'fuse' may use it; the executable is owned
root:fuse and mode 4750.
Red Hat Enterprise Linux 3 and 4 do not provide the fuse package.
The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw. More information regarding
issue severity can be found here:
http://www.redhat.com/security/updates/classification/
Acknowledgements:
Red Hat would like to thank Dan Rosenberg for responsibly reporting these flaws.