============================================ ncpfs, Multiple Vulnerabilities March 5, 2010 CVE-2010-0788, CVE-2010-0790, CVE-2010-0791 ============================================ ==Description== The ncpmount, ncpumount, and ncplogin utilities, installed as part of the ncpfs package, contain several vulnerabilities. 1. ncpmount, ncpumount, and ncplogin are vulnerable to race conditions that allow a local attacker to unmount arbitrary mountpoints, causing denial-of-service, or mount Netware shares to arbitrary directories, potentially leading to root compromise. This issue was formerly assigned CVE-2009-3297, but has since been re-assigned CVE-2010-0788 to avoid overlap with related bugs in other packages. 2. ncpumount is vulnerable to an information disclosure vulnerability that allows a local attacker to verify the existence of arbitrary files, violating directory permissions. This issue has been assigned CVE-2010-0790. 3. ncpmount, ncpumount, and ncplogin create lockfiles insecurely, allowing a local attacker to leave a stale lockfile at /etc/mtab~, causing other mount utilities to fail and creating denial-of-service conditions. This issue has been assigned CVE-2010-0791. ==Workaround== If unprivileged users do not need the ability to mount and unmount Netware shares, then the suid bit should be removed from these utilities. ==Solution== A patch has been released that resolves these issues (attached to this advisory). ncpfs-2.2.6.partial.patch is intended for ncpfs releases that have already been patched against the first vulnerability in this report (CVE-2010-0788, formerly CVE-2009-3297). It has been tested against the latest ncpfs packages distributed by Fedora, Red Hat, and Mandriva. ncpfs-2.2.6.full.patch is intended for ncpfs releases that have not been patched against any of these vulnerabilities. It has been tested against the latest ncpfs packages distributed by Debian, Ubuntu, and the upstream release (ftp://platan.vc.cvut.cz/pub/linux/ncpfs/). Users are advised to recompile from source, or request updated packages from downstream distributors. ==Credits== These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenberg () gmail com). Thanks to Vitezslav Crhonek for the patch against the first issue. ==References== CVE identifiers CVE-2010-0788, CVE-2010-0790, and CVE-2010-0791 have been assigned to these issues.
Attachment: ncpfs-2.2.6.full.patch
Description:
Attachment: ncpfs-2.2.6.partial.patch
Description:
