Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0547 to the following vulnerability: client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547 Upstream patch: http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054 Issue severity note: To local, unprivileged user would be able to exploit this flaw (to corrupt system's /etc/mtab file), the relevant mount.cifs utility, present on the system has to be setuid root enabled (otherwise the attacker is NOT able to mount custom CIFS share, thus add records to the system table of the mounted devices). The mount.cifs utility, shipped within samba-client package in Red Hat Enterprise Linux 4 and 5 is NOT setuid root enabled in the default configuration, which mitigates the impact of this flaw.
This issue does NOT affect the version of the samba package, as shipped with Red Hat Enterprise Linux 3. This issue affects (but with quite limited impact) the versions of the samba package, as shipped with Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. This issue affects (but with quite limited impact) the version of the samba3x package, as shipped with Red Hat Enterprise Linux 5 Update 4. This issue does NOT affect the versions of the samba package, as shipped with Fedora release of 11 and 12. Samba packages for these two Fedora releases has been already updated: a, samba-3.4.5-0.47.fc11 contains the relevant fix for Fedora-11 b, samba-3.4.5-55.fc12 contains the relevant fix for Fedora-12 For more information please proceed to CVE-2010-0787 Red Hat Bugzilla record: [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0787 and the subsequent comments in [1]: i, https://bugzilla.redhat.com/show_bug.cgi?id=532940#c26 ii, https://bugzilla.redhat.com/show_bug.cgi?id=532940#c25
Noting some context details for posterity... This flaw actually exposed a bug (failure to escape \n character properly) in glibc's addmntent() implementation, which got CVE-2010-0296 id assigned, see bug #559579 for details. This flaw got addressed in both glibc and samba/cifs-utils: - glibc added proper escaping of \n; the issue was fixed in Red Hat Enterprise Linux 6 before the initial release, and updates were made available for Red Hat Enterprise Linux 5 (RHSA-2011:0412) - samba/cifs-utils added a check for \n in share and directory names, causing it to print an error message and exit without trying to mount the share and update mtab in such case; this fix was included in the cifs-utils included in the Red Hat Enterprise Linux 6 initial release, and was added to samba3x packages in Red Hat Enterprise Linux 5 as part of the rebase to version 3.5.4 (RHBA-2011:0054) in Red Hat Enterprise Linux 5.6 However, the samba/cifs-utils fix contained and error which caused mount.cifs to print error message when share or directory name with \n was encountered, but still proceed to try to mount the share and update mtab. This could still result in mtab corruptions on systems that do not have glibc fix. This incomplete fix issue is now tracked as CVE-2011-2724, bug #726691.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2011:1219 https://rhn.redhat.com/errata/RHSA-2011-1219.html
Statement: (none)