-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:084 http://www.mandriva.com/security/ _______________________________________________________________________ Package : ncpfs Date : May 29, 2012 Affected: 2010.1, 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in ncpfs: ncpfs 2.2.6 and earlier attempts to use (1) ncpmount to append to the /etc/mtab file and (2) ncpumount to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089 (CVE-2011-1679). ncpmount in ncpfs 2.2.6 and earlier does not remove the /etc/mtab~ lock file after a failed attempt to add a mount entry, which has unspecified impact and local attack vectors (CVE-2011-1680). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1679 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1680 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: fcf6ae876a1944866abf3f89fc1cc717 2010.1/i586/ipxutils-2.2.6-11.1mdv2010.2.i586.rpm 0b40a7d80d41861d615d4e61a1198021 2010.1/i586/libncpfs2.3-2.2.6-11.1mdv2010.2.i586.rpm c1efbb865726eaeed69d6c8a923548ad 2010.1/i586/libncpfs-devel-2.2.6-11.1mdv2010.2.i586.rpm c2c2d9e066385453de74183eb43e81fc 2010.1/i586/ncpfs-2.2.6-11.1mdv2010.2.i586.rpm a1d6255c98ab28f2fc1e1410576b204b 2010.1/SRPMS/ncpfs-2.2.6-11.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: d070d05f821feb75a07b322a898ab860 2010.1/x86_64/ipxutils-2.2.6-11.1mdv2010.2.x86_64.rpm 4236198fccc9dec81d844cab80930e51 2010.1/x86_64/lib64ncpfs2.3-2.2.6-11.1mdv2010.2.x86_64.rpm f38713cce8c5d16bc874b32d94f0aaa7 2010.1/x86_64/lib64ncpfs-devel-2.2.6-11.1mdv2010.2.x86_64.rpm 5db5c3c92d4d9807afc69b40f1c31eaa 2010.1/x86_64/ncpfs-2.2.6-11.1mdv2010.2.x86_64.rpm a1d6255c98ab28f2fc1e1410576b204b 2010.1/SRPMS/ncpfs-2.2.6-11.1mdv2010.2.src.rpm Mandriva Linux 2011: 7634637332ed28f52bfd6b28914eb2b7 2011/i586/ipxutils-2.2.6-11.1-mdv2011.0.i586.rpm 3a51d86b4acdd911f61bc5dadbc85077 2011/i586/libncpfs2.3-2.2.6-11.1-mdv2011.0.i586.rpm c92a4e9fa732413b0e34d7019d149b13 2011/i586/libncpfs-devel-2.2.6-11.1-mdv2011.0.i586.rpm 724b31d8e5e36be37daa3091827d641c 2011/i586/ncpfs-2.2.6-11.1-mdv2011.0.i586.rpm cae8abcad945b3f460e9449a7ac25ef5 2011/SRPMS/ncpfs-2.2.6-11.1.src.rpm Mandriva Linux 2011/X86_64: 1f9ec73ac6a898419682a57c488b5ff0 2011/x86_64/ipxutils-2.2.6-11.1-mdv2011.0.x86_64.rpm 5ee31fd846aaad1296af44b5a17d955c 2011/x86_64/lib64ncpfs2.3-2.2.6-11.1-mdv2011.0.x86_64.rpm 2ee5d43dc42649df468e7e09056ef028 2011/x86_64/lib64ncpfs-devel-2.2.6-11.1-mdv2011.0.x86_64.rpm 96510fe5626471a04431bdeb543d26d3 2011/x86_64/ncpfs-2.2.6-11.1-mdv2011.0.x86_64.rpm cae8abcad945b3f460e9449a7ac25ef5 2011/SRPMS/ncpfs-2.2.6-11.1.src.rpm Mandriva Enterprise Server 5: b88bf988ea0ab1de5f2f54e31c25a721 mes5/i586/ipxutils-2.2.6-11.1mdvmes5.2.i586.rpm 0dbf3442bdd1bc35e6dc182ab882d5e7 mes5/i586/libncpfs2.3-2.2.6-11.1mdvmes5.2.i586.rpm b82ff57e35735820beca479f3672e726 mes5/i586/libncpfs-devel-2.2.6-11.1mdvmes5.2.i586.rpm 200927f0fc7ca522bff2a90603769c50 mes5/i586/ncpfs-2.2.6-11.1mdvmes5.2.i586.rpm b4aa6cbd99550b668b7a89d325e41057 mes5/SRPMS/ncpfs-2.2.6-11.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 5c2458c454fff46aa08d74bd3ba54d85 mes5/x86_64/ipxutils-2.2.6-11.1mdvmes5.2.x86_64.rpm 972072ba08cf8ff225c88fe4cce82045 mes5/x86_64/lib64ncpfs2.3-2.2.6-11.1mdvmes5.2.x86_64.rpm c804f96412d96bff4bf1a5e0295e0cdf mes5/x86_64/lib64ncpfs-devel-2.2.6-11.1mdvmes5.2.x86_64.rpm fae97a2b8fa0f30b7f6f7807ce0db266 mes5/x86_64/ncpfs-2.2.6-11.1mdvmes5.2.x86_64.rpm b4aa6cbd99550b668b7a89d325e41057 mes5/SRPMS/ncpfs-2.2.6-11.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPxKxTmqjQ0CJFipgRAtoOAKCRxbJwQ0yW44UgMUyxjoxP2nFAhwCbB7FP Bvdg632woGNCsJSj7Nw33oE= =JIwY -----END PGP SIGNATURE-----