Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 237093 (CVE-2008-3970)

Summary: sys-auth/pam_mount <0.47 Missing security checks on user-defined mounts (CVE-2008-3970)
Product: Gentoo Security Reporter: Rodrigo Severo <rodrigo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: hanno
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://sourceforge.net/mailarchive/forum.php?thread_name=alpine.LNX.1.10.0809042353120.17569%40fbirervta.pbzchgretzou.qr&forum_name=pam-mount-user
Whiteboard: ~? [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 237092    
Bug Blocks:    
Attachments:
Description Flags
Ebuild for pam_mount 0.47 none

Description Rodrigo Severo 2008-09-08 19:44:19 UTC 
There is a new pam_mount release: 0.47 at <http://downloads.sourceforge.net/pam-mount/pam_mount-0.47.tar.lzma?modtime=1220593408&big_mirror=0>.

This versions has a working sgrp parameter even when logining in through a ldap server.
Comment 1 Rodrigo Severo 2008-09-08 19:45:53 UTC 
Created attachment 164952 [details]
Ebuild for pam_mount 0.47

This ebuild is a copy of pam_mount 0.43 with the dependency for libhx changed to "=sys-libs/libhx-1.23" as this seems to be the only compatible version of libhx.
Comment 2 Hanno Böck gentoo-dev 2008-09-08 23:44:27 UTC 
ccing security, 0.47 has a security fix (cve requested). We have no stable pam_mount versions though, so maybe there isn't much more to do than bumping.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-09-09 09:05:32 UTC 
Would this allow for privilege escalation, or is the user-defined mount function only limited to, e.g. home ?

Patch:
http://dev.medozas.de/gitweb.cgi?p=pam_mount;a=commit;h=33b91d7659ae3aa78b1e94fd3f8e545ae5ff25db
Comment 4 Hanno Böck gentoo-dev 2008-09-09 09:12:40 UTC 
Bump already done. Do we need to do anything else? (no glsa afaik for non-stable-keyworded packages)
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-09-09 10:57:47 UTC 
(In reply to comment #4)
> Bump already done. Do we need to do anything else? (no glsa afaik for
> non-stable-keyworded packages)

That's true.

Still, what's the impact (comment #3)?
Comment 6 Rodrigo Severo 2008-09-09 13:39:33 UTC 
(In reply to comment #5)
> (In reply to comment #4)
> Still, what's the impact (comment #3)?

As far as I know mounts that should happen as the user is attached to some group as a secondary group didn't happen at all so I wouldn't describe it as a security issue at all.

Maybe Robert has some other info.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-09-09 15:10:23 UTC 
CVE-2008-3970 has been assigned.