Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 195390 - sys-apps/util-linux < 2.12r-r8 Privilege Escalation Vulnerability (CVE-2007-5191)
Summary: sys-apps/util-linux < 2.12r-r8 Privilege Escalation Vulnerability (CVE-2007-5...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
Whiteboard: A1 [glsa]
Depends on:
Reported: 2007-10-10 16:12 UTC by Tobias Heinlein (RETIRED)
Modified: 2008-01-10 09:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2007-10-10 16:12:06 UTC
A vulnerability has been reported in util-linux, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges.

The vulnerability is caused due to the mount and umount programs incorrectly checking the return values of the "setuid()" and "setgid()" functions when dropping privileges. This can potentially be exploited to perform certain actions with escalated privileges via e.g. the mount.nfs utility.

The vulnerability is reported in version 2.12r. Other versions may also be affected.

Fixed in the util-linux-ng repository.;a=commit;h=ebbeb2c7ac1b00b6083905957837a271e80b187e
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2007-10-10 16:24:46 UTC
You already applied the patch in -r8 a few days ago, but I couldn't find an appropriate security bug for this issue.

Do you have plans to stabilise util-linux-2.12r-r8? Our latest stable version is vulnerable.
Comment 2 SpanKY gentoo-dev 2007-10-10 18:04:43 UTC
i dont have any plans for anything

whatever security team wants to push is up to them, 2.12r-r8 is fine
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-10 20:06:12 UTC
Arches pleases test and mark stable sys-apps/util-linux-2.12r-r8
target "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-10 23:06:28 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-11 03:12:28 UTC
Stable for HPPA
Comment 6 Steve Dibb (RETIRED) gentoo-dev 2007-10-11 03:25:11 UTC
amd64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-11 03:30:40 UTC
Stable for SPARC.
Comment 8 Tom Gall (RETIRED) gentoo-dev 2007-10-11 05:15:26 UTC
stable on ppc64
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2007-10-11 16:21:36 UTC
alpha/ia64 stable
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-12 15:14:10 UTC
ppc stable, ready for glsa
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-10-12 17:17:28 UTC
(In reply to comment #10)
> ppc stable, ready for glsa

request filed.

Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-18 21:53:42 UTC
GLSA 200710-18
Comment 13 Joshua Kinard gentoo-dev 2007-11-19 07:20:45 UTC
mips stable.