Summary: | sys-auth/pam_mount <0.47 Missing security checks on user-defined mounts (CVE-2008-3970) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Rodrigo Severo <rodrigo> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | trivial | CC: | hanno | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://sourceforge.net/mailarchive/forum.php?thread_name=alpine.LNX.1.10.0809042353120.17569%40fbirervta.pbzchgretzou.qr&forum_name=pam-mount-user | ||||||
Whiteboard: | ~? [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 237092 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Rodrigo Severo
2008-09-08 19:44:19 UTC
Created attachment 164952 [details]
Ebuild for pam_mount 0.47
This ebuild is a copy of pam_mount 0.43 with the dependency for libhx changed to "=sys-libs/libhx-1.23" as this seems to be the only compatible version of libhx.
ccing security, 0.47 has a security fix (cve requested). We have no stable pam_mount versions though, so maybe there isn't much more to do than bumping. Would this allow for privilege escalation, or is the user-defined mount function only limited to, e.g. home ? Patch: http://dev.medozas.de/gitweb.cgi?p=pam_mount;a=commit;h=33b91d7659ae3aa78b1e94fd3f8e545ae5ff25db Bump already done. Do we need to do anything else? (no glsa afaik for non-stable-keyworded packages) (In reply to comment #4) > Bump already done. Do we need to do anything else? (no glsa afaik for > non-stable-keyworded packages) That's true. Still, what's the impact (comment #3)? (In reply to comment #5) > (In reply to comment #4) > Still, what's the impact (comment #3)? As far as I know mounts that should happen as the user is attached to some group as a secondary group didn't happen at all so I wouldn't describe it as a security issue at all. Maybe Robert has some other info. CVE-2008-3970 has been assigned. |