-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:061 http://www.mandriva.com/security/ _______________________________________________________________________ Package : ncpfs Date : March 11, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0, Enterprise Server 5.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in ncpfs: sutil/ncpumount.c in ncpumount in ncpfs 2.2.6 produces certain detailed error messages about the results of privileged file-access attempts, which allows local users to determine the existence of arbitrary files via the mountpoint name (CVE-2010-0790). The (1) ncpmount, (2) ncpumount, and (3) ncplogin programs in ncpfs 2.2.6 do not properly create lock files, which allows local users to cause a denial of service (application failure) via unspecified vectors that trigger the creation of a /etc/mtab~ file that persists after the program exits (CVE-2010-0791). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0791 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: f7a8ca8faffce840a6814724a9f4e13a 2008.0/i586/ipxutils-2.2.6-3.2mdv2008.0.i586.rpm e26483fd14e02674e71ad594181ed79e 2008.0/i586/libncpfs2.3-2.2.6-3.2mdv2008.0.i586.rpm 9451cbbdd8249de6f9c6b2419ae747f9 2008.0/i586/libncpfs2.3-devel-2.2.6-3.2mdv2008.0.i586.rpm 84d5f1ef0b99acc91bb24554f3f77ae1 2008.0/i586/ncpfs-2.2.6-3.2mdv2008.0.i586.rpm 5fefe503c4ae846c53e1311c9b7d0fd9 2008.0/SRPMS/ncpfs-2.2.6-3.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 317825e9ba230cb79948eabfffb909f3 2008.0/x86_64/ipxutils-2.2.6-3.2mdv2008.0.x86_64.rpm 532c1b50f1e7e3c18a8e78c6d9a99674 2008.0/x86_64/lib64ncpfs2.3-2.2.6-3.2mdv2008.0.x86_64.rpm 05509d44fa66199cce0e607f5f748ce8 2008.0/x86_64/lib64ncpfs2.3-devel-2.2.6-3.2mdv2008.0.x86_64.rpm 755ee4bbf43040f15faeefad1d6b9bd1 2008.0/x86_64/ncpfs-2.2.6-3.2mdv2008.0.x86_64.rpm 5fefe503c4ae846c53e1311c9b7d0fd9 2008.0/SRPMS/ncpfs-2.2.6-3.2mdv2008.0.src.rpm Mandriva Linux 2009.0: df608af475e518bc672ec54080a71129 2009.0/i586/ipxutils-2.2.6-6.2mdv2009.0.i586.rpm bc02fbfe14425e3a3085c9b08c99ae1c 2009.0/i586/libncpfs2.3-2.2.6-6.2mdv2009.0.i586.rpm ee0c1b55e7d8135de3d904de32fffba4 2009.0/i586/libncpfs-devel-2.2.6-6.2mdv2009.0.i586.rpm 32a63bfd400cd0a12cf2f98dbbb2fe37 2009.0/i586/ncpfs-2.2.6-6.2mdv2009.0.i586.rpm c80af8183956c89533f5d29018a5da3f 2009.0/SRPMS/ncpfs-2.2.6-6.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 8e2466b981f678e0300c005d2891b727 2009.0/x86_64/ipxutils-2.2.6-6.2mdv2009.0.x86_64.rpm 853cf68f0b74bb5338b4a59a2c851f3f 2009.0/x86_64/lib64ncpfs2.3-2.2.6-6.2mdv2009.0.x86_64.rpm 784e732a2fc55020081a49f08860c0b4 2009.0/x86_64/lib64ncpfs-devel-2.2.6-6.2mdv2009.0.x86_64.rpm 2c60654e5812e8b2bed23dd25b92a2e6 2009.0/x86_64/ncpfs-2.2.6-6.2mdv2009.0.x86_64.rpm c80af8183956c89533f5d29018a5da3f 2009.0/SRPMS/ncpfs-2.2.6-6.2mdv2009.0.src.rpm Mandriva Linux 2009.1: 550f4e8f2220a1f9897e8acf9c8aa35d 2009.1/i586/ipxutils-2.2.6-7.2mdv2009.1.i586.rpm 99a731ac177a83950ec5d08a1a2f74cf 2009.1/i586/libncpfs2.3-2.2.6-7.2mdv2009.1.i586.rpm 5ffd14de2ec5a3585967ca0bdcff5268 2009.1/i586/libncpfs-devel-2.2.6-7.2mdv2009.1.i586.rpm 04232470e8c0206cf211d2bb991eb5f2 2009.1/i586/ncpfs-2.2.6-7.2mdv2009.1.i586.rpm f9959c23aba2806c3f7fd3078b58d233 2009.1/SRPMS/ncpfs-2.2.6-7.2mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 11400b2d8f1e646ce3913d6a4f9370dc 2009.1/x86_64/ipxutils-2.2.6-7.2mdv2009.1.x86_64.rpm 90c272182b6d9fb9fdc64dec5ae2a030 2009.1/x86_64/lib64ncpfs2.3-2.2.6-7.2mdv2009.1.x86_64.rpm 66cfe5705b55b4c1aaa0907dabf77a91 2009.1/x86_64/lib64ncpfs-devel-2.2.6-7.2mdv2009.1.x86_64.rpm 0ff7654b1c841d8a1fb9d4c45d808306 2009.1/x86_64/ncpfs-2.2.6-7.2mdv2009.1.x86_64.rpm f9959c23aba2806c3f7fd3078b58d233 2009.1/SRPMS/ncpfs-2.2.6-7.2mdv2009.1.src.rpm Mandriva Linux 2010.0: f848b1bfb0d52e4dcdec0b9808ac509a 2010.0/i586/ipxutils-2.2.6-7.2mdv2010.0.i586.rpm 54aa704c0b1af11e042dcd9672de3e25 2010.0/i586/libncpfs2.3-2.2.6-7.2mdv2010.0.i586.rpm 93a2e667cd3543960897e35d2cb0cab8 2010.0/i586/libncpfs-devel-2.2.6-7.2mdv2010.0.i586.rpm 1f8d2304c8140ef4a9f86c5f91dc2503 2010.0/i586/ncpfs-2.2.6-7.2mdv2010.0.i586.rpm 832c3cf3bd76b027e3551f21c42d4e63 2010.0/SRPMS/ncpfs-2.2.6-7.2mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 7a92ccdf00e1969312ceba039a383c5b 2010.0/x86_64/ipxutils-2.2.6-7.2mdv2010.0.x86_64.rpm 090c7dfaa946377d3973e059133db67c 2010.0/x86_64/lib64ncpfs2.3-2.2.6-7.2mdv2010.0.x86_64.rpm b3157282b6c4a3b8d2e5c996a9dc48b4 2010.0/x86_64/lib64ncpfs-devel-2.2.6-7.2mdv2010.0.x86_64.rpm 722201fa17838a7bbcf75afe9e51d0b9 2010.0/x86_64/ncpfs-2.2.6-7.2mdv2010.0.x86_64.rpm 832c3cf3bd76b027e3551f21c42d4e63 2010.0/SRPMS/ncpfs-2.2.6-7.2mdv2010.0.src.rpm Corporate 4.0: 36221d2e2f7f7b6f1afaf8a0fbb4cc43 corporate/4.0/i586/ipxutils-2.2.6-1.2.20060mlcs4.i586.rpm 04ed54c9ef53c7b7bc8d6c5bc82875ec corporate/4.0/i586/libncpfs2.3-2.2.6-1.2.20060mlcs4.i586.rpm ffc910168a47678c9e26b8a999eebba1 corporate/4.0/i586/libncpfs2.3-devel-2.2.6-1.2.20060mlcs4.i586.rpm d62caa887b9a0afede029092cb94210c corporate/4.0/i586/ncpfs-2.2.6-1.2.20060mlcs4.i586.rpm ad5fc693c4b8099f793e60fd8e362497 corporate/4.0/SRPMS/ncpfs-2.2.6-1.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 010aac4bbd8b97be07f4cf95728aa73f corporate/4.0/x86_64/ipxutils-2.2.6-1.2.20060mlcs4.x86_64.rpm dafdc2c37fd80aa4dd23e909cb443600 corporate/4.0/x86_64/lib64ncpfs2.3-2.2.6-1.2.20060mlcs4.x86_64.rpm 82ddb2436bdf862367339606b2458373 corporate/4.0/x86_64/lib64ncpfs2.3-devel-2.2.6-1.2.20060mlcs4.x86_64.rpm 2102a419baacc322e3323a2db9b7bd0c corporate/4.0/x86_64/ncpfs-2.2.6-1.2.20060mlcs4.x86_64.rpm ad5fc693c4b8099f793e60fd8e362497 corporate/4.0/SRPMS/ncpfs-2.2.6-1.2.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 67e97534bae7efeb19fbcc9903b6abc0 mes5/i586/ipxutils-2.2.6-6.2mdvmes5.i586.rpm 9a40d5174ab91bbce961034c60708f15 mes5/i586/libncpfs2.3-2.2.6-6.2mdvmes5.i586.rpm 5ae0613e36539f1be008969522dbaa95 mes5/i586/libncpfs-devel-2.2.6-6.2mdvmes5.i586.rpm 30b0ec51a7ab456ecaeb3d98fc6ba292 mes5/i586/ncpfs-2.2.6-6.2mdvmes5.i586.rpm c16bd63bb48549bbee38c14b280c5d54 mes5/SRPMS/ncpfs-2.2.6-6.2mdv2009.0.src.rpm Mandriva Enterprise Server 5/X86_64: 2ea07838c868cf99959b263831cfe51f mes5/x86_64/ipxutils-2.2.6-6.2mdvmes5.x86_64.rpm 28c1d5b37556e3143badbf296e6faf59 mes5/x86_64/lib64ncpfs2.3-2.2.6-6.2mdvmes5.x86_64.rpm 5b697ab26fa6709fd6fb759c0893921e mes5/x86_64/lib64ncpfs-devel-2.2.6-6.2mdvmes5.x86_64.rpm b9674e0cbbb6c61f711760fa05152d26 mes5/x86_64/ncpfs-2.2.6-6.2mdvmes5.x86_64.rpm c16bd63bb48549bbee38c14b280c5d54 mes5/SRPMS/ncpfs-2.2.6-6.2mdv2009.0.src.rpm Multi Network Firewall 2.0: 8024befbd43bcf81f84103753610bbb7 mnf/2.0/i586/ipxutils-2.2.6-0.3.M20mdk.i586.rpm d97f0d32ad39007d7b2c4634bc84fd27 mnf/2.0/i586/libncpfs2.3-2.2.6-0.3.M20mdk.i586.rpm 027010fa612a861b59e7b2fb15d7b834 mnf/2.0/i586/libncpfs2.3-devel-2.2.6-0.3.M20mdk.i586.rpm 4c0f378c6fcc6e2f44688d85435aa439 mnf/2.0/i586/ncpfs-2.2.6-0.3.M20mdk.i586.rpm 5a0d9c59bc8086de2bff5667368410e4 mnf/2.0/SRPMS/ncpfs-2.2.6-0.3.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLmRzKmqjQ0CJFipgRAj8yAKCMkOkncxrNGnvpL6G1/LalaXRotwCfSSd6 4PVYweKC3SBfXc+UzESlZvc= =7niG -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/