MDVSA-2008:208-1
- Package name
- pam_mount
- Date
- 2008-10-18
- Advisory ID
- MDVSA-2008:208-1
- Affected versions
- 2008.1 x86_64 , 2008.1 i586
Problem description
pam_mount 0.10 through 0.45, when luserconf is enabled, does not verify
mountpoint and source ownership before mounting a user-defined volume,
which allows local users to bypass intended access restrictions via
a local mount.
The updated packages have been patched to fix the issue.
Update:
The fix for CVE-2008-3970 uncovered crashes in the code handling the
'allow', 'deny', and 'require' options in pam_mount-0.33, released
for Mandriva Linux 2008 Spring. Also, the verification of the allowed
mount options ('allow' configuration directive) was inverted in
pam_mount-0.33.
This update fixes these issues.
Updated packages
2008.1 x86_64
987c215769eea4ecbc860b7eec68cca4 2008.1/x86_64/pam_mount-0.33-2.3mdv2008.1.x86_64.rpm afc9d31b5a180beaddf715b64e70ce22 2008.1/SRPMS/pam_mount-0.33-2.3mdv2008.1.src.rpm
2008.1 i586
f57f019d59c0bf8a326b6f1259d46b82 2008.1/i586/pam_mount-0.33-2.3mdv2008.1.i586.rpm afc9d31b5a180beaddf715b64e70ce22 2008.1/SRPMS/pam_mount-0.33-2.3mdv2008.1.src.rpm