Bug 559579 (CVE-2010-0296) - CVE-2010-0296 glibc: Improper encoding of names with certain special character in utilities for writing to mtab table
Summary: CVE-2010-0296 glibc: Improper encoding of names with certain special characte...
Alias: CVE-2010-0296
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 599045 688214 688215 767685 769360
Blocks: 767564
TreeView+ depends on / blocked
Reported: 2010-01-28 14:35 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:34 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-02-13 20:52:58 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0412 0 normal SHIPPED_LIVE Important: glibc security update 2011-04-04 20:06:07 UTC
Red Hat Product Errata RHSA-2012:0125 0 normal SHIPPED_LIVE Moderate: glibc security and bug fix update 2012-02-14 01:33:53 UTC
Sourceware 19563 0 None None None 2016-02-04 07:00:26 UTC

Description Jan Lieskovsky 2010-01-28 14:35:30 UTC
It was found that glibc's utility, responsible for editing
of system's mtab table, improperly sanitized user supplied
mount point names containing certain special character. Local
attacker could use this flaw to add arbitrary mount points
(corrupt system's "/etc/mtab" file) or, potentially, set
unauthorized mount options. Other attacks are also possible.

Issue severity note:
The /etc/mtab file handles mounted devices and is automatically
updated by the mount command (more precisely by the dedicated
"mount" tool for relevant filesystem). Unprivileged user to
be able to run such a tool (and modify content of /etc/mtab),
this tool needs to be suid root enabled. The dedicated "mount"
tools, as shipped with Red Hat Enterprise Linux (mount.cifs,
mount.fuse, fusermount, mount.nfs, mount.nfs4) does NOT allow
unprivileged user to use them (without prior grant of additional
privileges from the privileged user) for editing of system's
/etc/mtab file, which mitigates impact of this flaw.

Comment 10 Jan Lieskovsky 2010-06-02 14:48:16 UTC
Public via:
  [1] http://www.ubuntu.com/usn/usn-944-1

Comment 11 Jan Lieskovsky 2010-06-02 14:52:43 UTC
CVE-2010-0296 description from Mitre:

The encode_name macro in misc/mntent_r.c in the GNU C Library (aka
glibc or libc6) 2.11.1 and earlier, as used by ncpmount and
mount.cifs, does not properly handle newline characters in mountpoint
names, which allows local users to cause a denial of service (mtab
corruption), or possibly modify mount options and gain privileges, via
a crafted mount request.

  [1] http://frugalware.org/security/662
  [2] http://sourceware.org/git/?p=glibc.git;a=commit;h=ab00f4eac8f4932211259ff87be83144f5211540
  [3] http://www.ubuntu.com/usn/USN-944-1
  [4] http://securitytracker.com/id?1024043
  [5] http://secunia.com/advisories/39900
  [6] http://www.vupen.com/english/advisories/2010/1246

Comment 16 errata-xmlrpc 2011-04-04 20:06:16 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0412 https://rhn.redhat.com/errata/RHSA-2011-0412.html

Comment 19 errata-xmlrpc 2012-02-13 20:35:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html

Note You need to log in before you can comment on or make changes to this bug.