Date: Fri, 29 Jul 2011 17:09:13 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security@...ts.openwall.com, Jeffrey Layton <jlayton@...hat.com> Subject: CVE-2011-2724 assignment notification -- samba -- incomplete fix for CVE-2010-0547 issue Hello Josh, Steve, vendors, during creation of automated test case for samba CVE-2010-0547 issue I have noticed still to be possible mount.cifs to succeed to mount Samba share to specially-crafted mount point (containing newline character), potentially resulting into mtab corruption (on systems, where glibc package was not patched against CVE-2010-0296 flaw yet). The new CVE identifier of CVE-2011-2724 has been assigned to this issue (as an incomplete fix for CVE-2010-0547 issue). Kudos to Tomas Hoger and Jeffrey Layton for their analysis of the issue: check_mtab() calls check_newline() to check device and directory name. check_newline() returns EX_USAGE (1) when error is detected, while check_mtab() expects -1 to indicate an error. and to Jeffrey Layton again for providing the patch almost immediately:  http://comments.gmane.org/gmane.linux.kernel.cifs/3827 References:  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2724 Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ