It was found that mount.nfs suffers from the same flaw as other mount helpers (see CVE-2011-1089). Instead of using addmntent(), nfs-utils implements its own similar function (nfs_addmntent()) which also fails to anticipate whether resource limits would interfere with correctly writing to /etc/mtab. A local user could use this to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value. In nfs-utils-1.2.3/support/nfs/nfs_mntent.c: 126 int 127 nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { 128 char *m1, *m2, *m3, *m4; 129 int res; 130 131 if (fseek (mfp->mntent_fp, 0, SEEK_END)) 132 return 1; /* failure */ 133 134 m1 = mangle(mnt->mnt_fsname); 135 m2 = mangle(mnt->mnt_dir); 136 m3 = mangle(mnt->mnt_type); 137 m4 = mangle(mnt->mnt_opts); 138 139 res = fprintf (mfp->mntent_fp, "%s %s %s %s %d %d\n", 140 m1, m2, m3, m4, mnt->mnt_freq, mnt->mnt_passno); 141 142 free(m1); 143 free(m2); 144 free(m3); 145 free(m4); 146 return (res < 0) ? 1 : 0; 147 } The above function should use fflush() and return failure based on the success of the fflush() call, to ensure it is fully written prior to updating /etc/mtab. Perhaps something like: 146 return (res < 0) ? 1 : ((fflush(mfp->mntent_fp) == 0) ? 0 : 1);
Created nfs-utils tracking bugs for this issue Affects: fedora-all [bug 697982]
> 146 return (res < 0) ? 1 : ((fflush(mfp->mntent_fp) == 0) ? 0 : 1); Dear god, no. There's no reason to do all of that one one line. If I'm reading it right though, the logic looks correct, but let's do something that's a little easier to read (and debug...)
Looks like this does not affect the version in RHEL4 as I can't see any mention of addmntent() or nfs_addmntent() anywhere (the only reference to mtab seems to be in nfs-utils-1.0.6/utils/rquotad/mntent.h). Jeff, can you confirm whether or not this is an issue for RHEL4? Thanks.
This was assigned CVE-2011-1749.
Statement: This issue did not affect the versions of nfs-utils as shipped with Red Hat Enterprise Linux 4 as it did not include include mount.nfs. It was addressed in Red Hat Enterprise Linux 5 and 6 via RHSA-2012:0310 and RHSA-2011:1534 respectively.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1534 https://rhn.redhat.com/errata/RHSA-2011-1534.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0310 https://rhn.redhat.com/errata/RHSA-2012-0310.html