Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 695921 - (CVE-2011-1676) CVE-2011-1676 util-linux: mount does not remove /etc/mtab.tmp after failed mount entry addition
CVE-2011-1676 util-linux: mount does not remove /etc/mtab.tmp after failed mo...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20110303,reported=20110301,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-12 18:11 EDT by Vincent Danen
Modified: 2011-04-27 14:14 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-27 14:13:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vincent Danen 2011-04-12 18:11:03 EDT 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1676 to
the following vulnerability:

Name: CVE-2011-1676
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1676
Assigned: 20110409
Reference: http://openwall.com/lists/oss-security/2011/03/04/11
Reference: http://openwall.com/lists/oss-security/2011/03/04/9
Reference: http://openwall.com/lists/oss-security/2011/03/04/10
Reference: http://openwall.com/lists/oss-security/2011/03/04/12
Reference: http://openwall.com/lists/oss-security/2011/03/05/3
Reference: http://openwall.com/lists/oss-security/2011/03/05/7
Reference: http://openwall.com/lists/oss-security/2011/03/07/9
Reference: http://openwall.com/lists/oss-security/2011/03/14/5
Reference: http://openwall.com/lists/oss-security/2011/03/14/7
Reference: http://openwall.com/lists/oss-security/2011/03/14/16
Reference: http://openwall.com/lists/oss-security/2011/03/15/6
Reference: http://openwall.com/lists/oss-security/2011/03/22/4
Reference: http://openwall.com/lists/oss-security/2011/03/22/6
Reference: http://openwall.com/lists/oss-security/2011/03/31/3
Reference: http://openwall.com/lists/oss-security/2011/03/31/4
Reference: http://openwall.com/lists/oss-security/2011/04/01/2
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=688980

mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp
file after a failed attempt to add a mount entry, which allows local
users to trigger corruption of the /etc/mtab file via multiple
invocations.
Comment 1 Vincent Danen 2011-04-12 18:35:44 EDT 
Created util-linux-ng tracking bugs for this issue

Affects: fedora-all [bug 695940]
Comment 2 Karel Zak 2011-04-13 04:25:16 EDT 
I'd like to see reproducer for this bug. mount(8) blocks all signals when writing to mtab, the lockfile should be always removed.

I'm able to reproduce this problem on umount(8) only:

# ulimit -f 1
# umount /mnt/test

# ls -la /etc/mtab*
-rw-r--r-- 1 root root 2387 Apr 13 10:06 /etc/mtab
-rw------- 1 root root    0 Apr 13 10:07 /etc/mtab~
-rw------- 1 root root 1024 Apr 13 10:07 /etc/mtab.tmp

(mtab~ is lockfile, mtab.tmp is temporary file).
Comment 3 Tomas Hoger 2011-04-26 13:05:09 EDT 
Karel, do you actually see any issue with leaving mtab.tmp file around?  Unlike lock file (mtab~) existence, existence of this temporary file does not block further use of mount / umount and the file is overwritten as needed.  I currently fail to see a way to trigger mtab corruption as mentioned in the CVE description.  Is there anything I'm missing, or is this non-issue that should be disputed?
Comment 4 Karel Zak 2011-04-26 17:33:05 EDT 
No, the file is unimportant and always overwritten during mtab update.
Comment 5 Tomas Hoger 2011-04-27 14:13:01 EDT 
Thank you, closing as not-a-bug.  Reporter also confirms there's no issue with mtab.tmp handling:
  http://thread.gmane.org/gmane.comp.security.oss.general/4374/focus=4983
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.