============================================
 ncpfs, Multiple Vulnerabilities
 March 5, 2010
 CVE-2010-0788, CVE-2010-0790, CVE-2010-0791
============================================

==Description==

The ncpmount, ncpumount, and ncplogin utilities, installed as part of the ncpfs
package, contain several vulnerabilities.

1. ncpmount, ncpumount, and ncplogin are vulnerable to race conditions that
allow a local attacker to unmount arbitrary mountpoints, causing
denial-of-service, or mount Netware shares to arbitrary directories,
potentially leading to root compromise.  This issue was formerly assigned
CVE-2009-3297, but has since been re-assigned CVE-2010-0788 to avoid overlap
with related bugs in other packages.

2. ncpumount is vulnerable to an information disclosure vulnerability that
allows a local attacker to verify the existence of arbitrary files, violating
directory permissions.  This issue has been assigned CVE-2010-0790.

3. ncpmount, ncpumount, and ncplogin create lockfiles insecurely, allowing a
local attacker to leave a stale lockfile at /etc/mtab~, causing other mount
utilities to fail and creating denial-of-service conditions.  This issue has
been assigned CVE-2010-0791.

==Workaround==

If unprivileged users do not need the ability to mount and unmount Netware
shares, then the suid bit should be removed from these utilities.

==Solution==

A patch has been released that resolves these issues (attached to this
advisory).  ncpfs-2.2.6.partial.patch is intended for ncpfs releases that have
already been patched against the first vulnerability in this report
(CVE-2010-0788, formerly CVE-2009-3297).  It has been tested against the latest
ncpfs packages distributed by Fedora, Red Hat, and Mandriva.
ncpfs-2.2.6.full.patch is intended for ncpfs releases that have not been
patched against any of these vulnerabilities.  It has been tested against the
latest ncpfs packages distributed by Debian, Ubuntu, and the upstream release
(ftp://platan.vc.cvut.cz/pub/linux/ncpfs/).

Users are advised to recompile from source, or request updated packages from
downstream distributors.

==Credits==

These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenberg@gmail.com).
Thanks to Vitezslav Crhonek for the patch against the first issue.

==References==

CVE identifiers CVE-2010-0788, CVE-2010-0790, and CVE-2010-0791 have been
assigned to these issues.