Debian Bug report logs -
#499841
CVE-2008-3970: does not verify mountpoint and source ownership before mounting a user-defined volume
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Mon, 22 Sep 2008 22:06:09 UTC
Severity: grave
Tags: fixed-upstream, security
Found in version libpam-mount/0.18-3
Fixed in versions libpam-mount/0.48-1, libpam-mount/0.44-1+lenny1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Bastian Kleineidam <calvin@debian.org>:
Bug#499841; Package libpam-mount.
(Mon, 22 Sep 2008 22:06:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Bastian Kleineidam <calvin@debian.org>.
(Mon, 22 Sep 2008 22:06:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libpam-mount
Version: 0.18-3
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libpam-mount.
CVE-2008-3970[0]:
| pam_mount 0.10 through 0.45, when luserconf is enabled, does not
| verify mountpoint and source ownership before mounting a
| user-defined volume, which allows local users to bypass intended
| access restrictions via a local mount.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3970
http://security-tracker.debian.net/tracker/CVE-2008-3970
Reply sent
to Bastian Kleineidam <calvin@debian.org>:
You have taken responsibility.
(Tue, 30 Sep 2008 09:33:12 GMT) (full text, mbox, link).
Notification sent
to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(Tue, 30 Sep 2008 09:33:12 GMT) (full text, mbox, link).
Message #10 received at 499841-close@bugs.debian.org (full text, mbox, reply):
Source: libpam-mount
Source-Version: 0.48-1
We believe that the bug you reported is fixed in the latest version of
libpam-mount, which is due to be installed in the Debian FTP archive:
libpam-mount_0.48-1.diff.gz
to pool/main/libp/libpam-mount/libpam-mount_0.48-1.diff.gz
libpam-mount_0.48-1.dsc
to pool/main/libp/libpam-mount/libpam-mount_0.48-1.dsc
libpam-mount_0.48-1_amd64.deb
to pool/main/libp/libpam-mount/libpam-mount_0.48-1_amd64.deb
libpam-mount_0.48.orig.tar.gz
to pool/main/libp/libpam-mount/libpam-mount_0.48.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 499841@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Kleineidam <calvin@debian.org> (supplier of updated libpam-mount package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 28 Sep 2008 19:50:41 +0200
Source: libpam-mount
Binary: libpam-mount
Architecture: source amd64
Version: 0.48-1
Distribution: unstable
Urgency: high
Maintainer: Bastian Kleineidam <calvin@debian.org>
Changed-By: Bastian Kleineidam <calvin@debian.org>
Description:
libpam-mount - PAM module that can mount volumes for a user session
Closes: 493234 494107 497813 499841
Changes:
libpam-mount (0.48-1) unstable; urgency=high
.
* New upstream release, using libhx >= 0.25.
- Prevents security flaw CVE-2008-3970 (thus urgency high) (Closes: #499841)
- Prevents double free in "su" usage (Closes: #493234)
- Does "~" expanding in paths again (Closes: #497813)
- Print names of blocking processes on umount (Closes: #494107)
Checksums-Sha1:
334e887e63561878f518502c012390913604003a 1221 libpam-mount_0.48-1.dsc
e30d755db6e1c0c3786c466a29f5a5e86098454d 433641 libpam-mount_0.48.orig.tar.gz
702e1cba128c380706cdf89cca0f10a20efd3cfe 24840 libpam-mount_0.48-1.diff.gz
23f28f7de5716e5ea480c475c63a2b1e3f93eaaa 111860 libpam-mount_0.48-1_amd64.deb
Checksums-Sha256:
c83b3bc9927235cb84907e4d3d534daac43378d8502b8bf8d450e205b6470d3d 1221 libpam-mount_0.48-1.dsc
ed9ddbbc2fa5ab1e554dcc780d1a3e4a528a8ed44e30b690c00f4b25c98e7719 433641 libpam-mount_0.48.orig.tar.gz
61312bf18722c133f4da35b4c6dd0a6c4f8752e4168bb73830ddcd5c6b4d748e 24840 libpam-mount_0.48-1.diff.gz
bbdb19c383d3acf8cb83f1075b67069401194d6a901dc82822e38589b7dcdcd3 111860 libpam-mount_0.48-1_amd64.deb
Files:
f9178ac979dcfc0866827e4d96ba1503 1221 admin extra libpam-mount_0.48-1.dsc
8b891db48c030fef8e098aab38261cbd 433641 admin extra libpam-mount_0.48.orig.tar.gz
3d77e2819126d703d51b1be5ae394a05 24840 admin extra libpam-mount_0.48-1.diff.gz
233a3d1a061e3173b1d54bb4bb08311e 111860 admin extra libpam-mount_0.48-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjhMmMACgkQeBwlBDLsbz567wCgppLPTRJvkkdsLoKjBOvRpvHJ
keoAoMHUX6mF3dkDy0MPrCQ5GRAnO+Ve
=88Mc
-----END PGP SIGNATURE-----
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Fri, 03 Oct 2008 18:33:07 GMT) (full text, mbox, link).
Notification sent
to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(Fri, 03 Oct 2008 18:33:08 GMT) (full text, mbox, link).
Message #15 received at 499841-close@bugs.debian.org (full text, mbox, reply):
Source: libpam-mount
Source-Version: 0.44-1+lenny1
We believe that the bug you reported is fixed in the latest version of
libpam-mount, which is due to be installed in the Debian FTP archive:
libpam-mount_0.44-1+lenny1.diff.gz
to pool/main/libp/libpam-mount/libpam-mount_0.44-1+lenny1.diff.gz
libpam-mount_0.44-1+lenny1.dsc
to pool/main/libp/libpam-mount/libpam-mount_0.44-1+lenny1.dsc
libpam-mount_0.44-1+lenny1_amd64.deb
to pool/main/libp/libpam-mount/libpam-mount_0.44-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 499841@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated libpam-mount package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 03 Oct 2008 17:58:26 +0200
Source: libpam-mount
Binary: libpam-mount
Architecture: source amd64
Version: 0.44-1+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Bastian Kleineidam <calvin@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
libpam-mount - PAM module that can mount volumes for a user session
Closes: 499841
Changes:
libpam-mount (0.44-1+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add security checks including mountpoint and source ownership
verification before mounting user-defined volumes to prevent
access restriction bypasses (07_CVE-2008-3970.dpatch; Closes: #499841).
Checksums-Sha1:
aef22d9080013679c40225db16c6b4e642f0f98a 1249 libpam-mount_0.44-1+lenny1.dsc
01a86631c1a5885e9a45b88081d70f31a2161408 429353 libpam-mount_0.44.orig.tar.gz
ca2497d292950d43faef9a21b99ab2cb1d115139 25386 libpam-mount_0.44-1+lenny1.diff.gz
974038ae4d97bf8d047dee5c7cfaaaf0952c5e70 104370 libpam-mount_0.44-1+lenny1_amd64.deb
Checksums-Sha256:
2048629ad34b714689624e0f596e225781069c4efd0264f2e5eabebc1fef0264 1249 libpam-mount_0.44-1+lenny1.dsc
f3e09e06ff3ee7eb7b6d000a74403597658ee8c96339be6537a14d2cb502b87b 429353 libpam-mount_0.44.orig.tar.gz
5fd2e5854d606cf107ebfae4d72c571c4287dff17567d7ddda87f7bb469c8c67 25386 libpam-mount_0.44-1+lenny1.diff.gz
ea848594d23c17a3b6a1cbc2f1d5d62f84b3b174e80e93f43a1f966f8fe38658 104370 libpam-mount_0.44-1+lenny1_amd64.deb
Files:
1db662e022028990fb1708e6bd28915a 1249 admin extra libpam-mount_0.44-1+lenny1.dsc
05ceba2445efa851deecb570f73e8e92 429353 admin extra libpam-mount_0.44.orig.tar.gz
91eb158c7447a01e838ea96dc27314d6 25386 admin extra libpam-mount_0.44-1+lenny1.diff.gz
eaf2ab48e7803b09fb6f72c6044ae618 104370 admin extra libpam-mount_0.44-1+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjmRooACgkQHYflSXNkfP89eACdEcEJaLKRYFP1uxzrQx8o/BzT
czEAn3lJcm7sg2nR/dUR9lIajDeVZH7U
=JVsY
-----END PGP SIGNATURE-----
Tags added: fixed-upstream
Request was from Jan Engelhardt <jengelh@medozas.de>
to control@bugs.debian.org.
(Fri, 09 Jan 2009 08:51:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Feb 2009 08:07:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:54:10 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon