From Mageia wiki
Revision as of 13:32, 10 June 2012 by Tmb (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

MGASA-2012-0112

Date: June 10th, 2012
Affected releases: 1, 2


Description:
Updated ncpfs packages fix security vulnerabilities:

ncpfs 2.2.6 and earlier attempts to use (1) ncpmount to append to
the /etc/mtab file and (2) ncpumount to append to the /etc/mtab.tmp
file without first checking whether resource limits would interfere,
which allows local users to trigger corruption of the /etc/mtab file
via a process with a small RLIMIT_FSIZE value, a related issue to
CVE-2011-1089 (CVE-2011-1679).

ncpmount in ncpfs 2.2.6 and earlier does not remove the /etc/mtab~
lock file after a failed attempt to add a mount entry, which has
unspecified impact and local attack vectors (CVE-2011-1680).


Updated Packages:
Mageia 1:
ncpfs-2.2.6-11.1.mga1
ipxutils-2.2.6-11.1.mga1
lib(64)ncpfs2.3-2.2.6-11.1.mga1
lib(64)ncpfs-devel-2.2.6-11.1.mga1
Mageia 2:
ncpfs-2.2.6-11.1.mga2
ipxutils-2.2.6-11.1.mga2
lib(64)ncpfs2.3-2.2.6-11.1.mga2
lib(64)ncpfs-devel-2.2.6-11.1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1679
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1680
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:084
https://bugs.mageia.org/show_bug.cgi?id=6153