LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 29th, 2014
Linux Security Week: August 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: Subject: [Security Announce] [ MDVSA-2008:208 ] pam_mount Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake pam_mount 0.10 through 0.45, when luserconf is enabled, does not verify mountpoint and source ownership before mounting a user-defined volume, which allows local users to bypass intended access restrictions via a local mount. The updated packages have been patched to fix the issue.
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:208
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pam_mount
 Date    : September 29, 2008
 Affected: 2007.1, 2008.0, 2008.1, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 pam_mount 0.10 through 0.45, when luserconf is enabled, does not verify
 mountpoint and source ownership before mounting a user-defined volume,
 which allows local users to bypass intended access restrictions via
 a local mount.
 
 The updated packages have been patched to fix the issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3970
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2007.1:
 dabe7e010c95879959959e4804ae83cb  2007.1/i586/pam_mount-0.17-1.1mdv2007.1.i586.rpm
 b237206c3e85a63b0e733a7db02fcba1  2007.1/i586/pam_mount-devel-0.17-1.1mdv2007.1.i586.rpm 
 c81ceb5ccab44675322db02cdc5cc972  2007.1/SRPMS/pam_mount-0.17-1.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 db7d0a5b43608ce1741bfbcb75dccc88  2007.1/x86_64/pam_mount-0.17-1.1mdv2007.1.x86_64.rpm
 c18edd6508f15bb3bdf041baa8021df8  2007.1/x86_64/pam_mount-devel-0.17-1.1mdv2007.1.x86_64.rpm 
 c81ceb5ccab44675322db02cdc5cc972  2007.1/SRPMS/pam_mount-0.17-1.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 14582d4c7f686e67632d9603b33a16f6  2008.0/i586/pam_mount-0.17-1.1mdv2008.0.i586.rpm
 e909ab0be3d5e979500ce026c6d47217  2008.0/i586/pam_mount-devel-0.17-1.1mdv2008.0.i586.rpm 
 96406b251d1096347fbd9d699d158e53  2008.0/SRPMS/pam_mount-0.17-1.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 7e30f80f0b113a9c0f9089452eba9e66  2008.0/x86_64/pam_mount-0.17-1.1mdv2008.0.x86_64.rpm
 b0e1455f76a67b2def22fb84b3c835df  2008.0/x86_64/pam_mount-devel-0.17-1.1mdv2008.0.x86_64.rpm 
 96406b251d1096347fbd9d699d158e53  2008.0/SRPMS/pam_mount-0.17-1.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 0f3271419c28fadaa6420438d7f434ac  2008.1/i586/pam_mount-0.33-2.1mdv2008.1.i586.rpm 
 eec908414e3a3b50141821b4628c91e5  2008.1/SRPMS/pam_mount-0.33-2.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 3235bba384d4a2692b557b6a14ae1779  2008.1/x86_64/pam_mount-0.33-2.1mdv2008.1.x86_64.rpm 
 eec908414e3a3b50141821b4628c91e5  2008.1/SRPMS/pam_mount-0.33-2.1mdv2008.1.src.rpm

 Corporate 4.0:
 19f2eb0aacfc918f263797734665bd33  corporate/4.0/i586/pam_mount-0.10.0-5.1.20060mlcs4.i586.rpm
 74d983393ad8d8f288df52b682e5423d  corporate/4.0/i586/pam_mount-devel-0.10.0-5.1.20060mlcs4.i586.rpm 
 55b755782e2b61a013e60d397f1cfbbd  corporate/4.0/SRPMS/pam_mount-0.10.0-5.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 5e1cd73d9ab0d15e95333e0aac62c6ed  corporate/4.0/x86_64/pam_mount-0.10.0-5.1.20060mlcs4.x86_64.rpm
 1a4fef46e82af0950bc034fceec01285  corporate/4.0/x86_64/pam_mount-devel-0.10.0-5.1.20060mlcs4.x86_64.rpm 
 55b755782e2b61a013e60d397f1cfbbd  corporate/4.0/SRPMS/pam_mount-0.10.0-5.1.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
How Cops and Hackers Could Abuse California’s New Phone Kill-Switch Law
Why Russian hackers are beating us
DQ Breach? HQ Says No, But Would it Know?
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.