559579 – (CVE-2010-0296) CVE-2010-0296 glibc: Improper encoding of names with certain special character in utilities for writing to mtab table

Bug 559579 (CVE-2010-0296) - CVE-2010-0296 glibc: Improper encoding of names with certain special character in utilities for writing to mtab table

Summary: CVE-2010-0296 glibc: Improper encoding of names with certain special characte...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-0296
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	599045 688214 688215 767685 769360
Blocks:	767564
TreeView+	depends on / blocked

Reported:	2010-01-28 14:35 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:34 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-02-13 20:52:58 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0412	normal	SHIPPED_LIVE	Important: glibc security update	2011-04-04 20:06:07 UTC
Red Hat Product Errata	RHSA-2012:0125	normal	SHIPPED_LIVE	Moderate: glibc security and bug fix update	2012-02-14 01:33:53 UTC
Sourceware	19563	None	None	None	2016-02-04 07:00:26 UTC

Description Jan Lieskovsky 2010-01-28 14:35:30 UTC

It was found that glibc's utility, responsible for editing
of system's mtab table, improperly sanitized user supplied
mount point names containing certain special character. Local
attacker could use this flaw to add arbitrary mount points
(corrupt system's "/etc/mtab" file) or, potentially, set
unauthorized mount options. Other attacks are also possible.

Issue severity note:
-------------------
The /etc/mtab file handles mounted devices and is automatically
updated by the mount command (more precisely by the dedicated
"mount" tool for relevant filesystem). Unprivileged user to
be able to run such a tool (and modify content of /etc/mtab),
this tool needs to be suid root enabled. The dedicated "mount"
tools, as shipped with Red Hat Enterprise Linux (mount.cifs,
mount.fuse, fusermount, mount.nfs, mount.nfs4) does NOT allow
unprivileged user to use them (without prior grant of additional
privileges from the privileged user) for editing of system's
/etc/mtab file, which mitigates impact of this flaw.

Comment 10 Jan Lieskovsky 2010-06-02 14:48:16 UTC

Public via:
  [1] http://www.ubuntu.com/usn/usn-944-1

Comment 11 Jan Lieskovsky 2010-06-02 14:52:43 UTC

CVE-2010-0296 description from Mitre:

The encode_name macro in misc/mntent_r.c in the GNU C Library (aka
glibc or libc6) 2.11.1 and earlier, as used by ncpmount and
mount.cifs, does not properly handle newline characters in mountpoint
names, which allows local users to cause a denial of service (mtab
corruption), or possibly modify mount options and gain privileges, via
a crafted mount request.

References:
  [1] http://frugalware.org/security/662
  [2] http://sourceware.org/git/?p=glibc.git;a=commit;h=ab00f4eac8f4932211259ff87be83144f5211540
  [3] http://www.ubuntu.com/usn/USN-944-1
  [4] http://securitytracker.com/id?1024043
  [5] http://secunia.com/advisories/39900
  [6] http://www.vupen.com/english/advisories/2010/1246

Comment 16 errata-xmlrpc 2011-04-04 20:06:16 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0412 https://rhn.redhat.com/errata/RHSA-2011-0412.html

Comment 19 errata-xmlrpc 2012-02-13 20:35:26 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html

Note You need to log in before you can comment on or make changes to this bug.