From the upstream bug at $URL: mount.cifs, and umount.cifs are vulnerable to race conditions that allow unprivileged users to create denial of service conditions. All of these mounting utilities create "/etc/mtab~" as a lockfile before updating /etc/mtab, deleting the lockfile after finishing. By starting the mounting or unmounting process using either of these utilities and then sending a SIGKILL to the process at the right moment, the lockfile will not be cleaned up. The existence of this stale lockfile will cause most mounting utilities to abort, denying service. While the use of /etc/mtab~ is standard practice for mount utilities, suid versions such as these should use safer locking techniques that expire on process termination, since they can be killed mid-execution by unprivileged users. Signal handling is not an option, since SIGKILL cannot be caught. I have working exploit code available on request if you're having trouble reproducing the issue.
CVE-2011-3585 is still reserved [1] and our stable samba doesn't allow mount.cifs being installed setuid root. [1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3585
(In reply to comment #1) > CVE-2011-3585 is still reserved [1] Not sure what that has to say as to the nature of the issue. CVEs usually take a few days to be filled in. > and our stable samba doesn't allow > mount.cifs being installed setuid root. > Our "stable samba" implies that our testing samba behaves differently? Also, next time, please just state your reasons why a bug is invalid in your opinion without closing the bug, *we* will do that after confirming your explanation.
Reopening until my questions are answered.
(In reply to comment #2) > (In reply to comment #1) > > CVE-2011-3585 is still reserved [1] > > Not sure what that has to say as to the nature of the issue. CVEs usually take > a few days to be filled in. > > > and our stable samba doesn't allow > > mount.cifs being installed setuid root. > > > > Our "stable samba" implies that our testing samba behaves differently? Currently there is no testing samba but masked one. masked samba 3.6.0 and above use net-fs/cifs-utils as a provider for mount.cifs. I've dropped setuid flag from cifs-utils, however users are free to set it setuid (as they were when the ebuild provided setuid use flag). > > Also, next time, please just state your reasons why a bug is invalid in your > opinion without closing the bug, *we* will do that after confirming your > explanation. got it
04 Oct 2011; Víctor Ostorga <vostorga@gentoo.org> cifs-utils-5.1.ebuild: Dropping setuid flag, CVE-2011-3585 bug 385315 -> net-fs/cifs-utils is noglsa for ~arch only So our stable net-fs/samba versions are not vulnerable because they don't allow mount.cifs to be installed setuid root. Our unstable net-fs/samba relies on net-fs/cifs-utils which was vulnerable but now fixed. Re-rating to ~3 and closing.
