It was found that glibc's utility, responsible for editing of system's mtab table, improperly sanitized user supplied mount point names containing certain special character. Local attacker could use this flaw to add arbitrary mount points (corrupt system's "/etc/mtab" file) or, potentially, set unauthorized mount options. Other attacks are also possible. Issue severity note: ------------------- The /etc/mtab file handles mounted devices and is automatically updated by the mount command (more precisely by the dedicated "mount" tool for relevant filesystem). Unprivileged user to be able to run such a tool (and modify content of /etc/mtab), this tool needs to be suid root enabled. The dedicated "mount" tools, as shipped with Red Hat Enterprise Linux (mount.cifs, mount.fuse, fusermount, mount.nfs, mount.nfs4) does NOT allow unprivileged user to use them (without prior grant of additional privileges from the privileged user) for editing of system's /etc/mtab file, which mitigates impact of this flaw.
Public via: [1] http://www.ubuntu.com/usn/usn-944-1
CVE-2010-0296 description from Mitre: The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request. References: [1] http://frugalware.org/security/662 [2] http://sourceware.org/git/?p=glibc.git;a=commit;h=ab00f4eac8f4932211259ff87be83144f5211540 [3] http://www.ubuntu.com/usn/USN-944-1 [4] http://securitytracker.com/id?1024043 [5] http://secunia.com/advisories/39900 [6] http://www.vupen.com/english/advisories/2010/1246
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0412 https://rhn.redhat.com/errata/RHSA-2011-0412.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html