Bug 559579 - (CVE-2010-0296) CVE-2010-0296 glibc: Improper encoding of names with certain special character in utilities for writing to mtab table
CVE-2010-0296 glibc: Improper encoding of names with certain special characte...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 599045 688214 688215 767685 769360
Blocks: 767564
  Show dependency treegraph
Reported: 2010-01-28 09:35 EST by Jan Lieskovsky
Modified: 2016-02-04 02:00 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-02-13 15:52:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Sourceware 19563 None None None 2016-02-04 02:00 EST

  None (edit)
Description Jan Lieskovsky 2010-01-28 09:35:30 EST
It was found that glibc's utility, responsible for editing
of system's mtab table, improperly sanitized user supplied
mount point names containing certain special character. Local
attacker could use this flaw to add arbitrary mount points
(corrupt system's "/etc/mtab" file) or, potentially, set
unauthorized mount options. Other attacks are also possible.

Issue severity note:
The /etc/mtab file handles mounted devices and is automatically
updated by the mount command (more precisely by the dedicated
"mount" tool for relevant filesystem). Unprivileged user to
be able to run such a tool (and modify content of /etc/mtab),
this tool needs to be suid root enabled. The dedicated "mount"
tools, as shipped with Red Hat Enterprise Linux (mount.cifs,
mount.fuse, fusermount, mount.nfs, mount.nfs4) does NOT allow
unprivileged user to use them (without prior grant of additional
privileges from the privileged user) for editing of system's
/etc/mtab file, which mitigates impact of this flaw.
Comment 10 Jan Lieskovsky 2010-06-02 10:48:16 EDT
Public via:
  [1] http://www.ubuntu.com/usn/usn-944-1
Comment 11 Jan Lieskovsky 2010-06-02 10:52:43 EDT
CVE-2010-0296 description from Mitre:

The encode_name macro in misc/mntent_r.c in the GNU C Library (aka
glibc or libc6) 2.11.1 and earlier, as used by ncpmount and
mount.cifs, does not properly handle newline characters in mountpoint
names, which allows local users to cause a denial of service (mtab
corruption), or possibly modify mount options and gain privileges, via
a crafted mount request.

  [1] http://frugalware.org/security/662
  [2] http://sourceware.org/git/?p=glibc.git;a=commit;h=ab00f4eac8f4932211259ff87be83144f5211540
  [3] http://www.ubuntu.com/usn/USN-944-1
  [4] http://securitytracker.com/id?1024043
  [5] http://secunia.com/advisories/39900
  [6] http://www.vupen.com/english/advisories/2010/1246
Comment 16 errata-xmlrpc 2011-04-04 16:06:16 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0412 https://rhn.redhat.com/errata/RHSA-2011-0412.html
Comment 19 errata-xmlrpc 2012-02-13 15:35:26 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html

Note You need to log in before you can comment on or make changes to this bug.