lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Npocu-0005gW-TI@titan.mandriva.com>
Date: Thu, 11 Mar 2010 21:05:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:061 ] ncpfs


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:061
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : ncpfs
 Date    : March 11, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
           Enterprise Server 5.0, Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in ncpfs:
 
 sutil/ncpumount.c in ncpumount in ncpfs 2.2.6 produces certain detailed
 error messages about the results of privileged file-access attempts,
 which allows local users to determine the existence of arbitrary
 files via the mountpoint name (CVE-2010-0790).
 
 The (1) ncpmount, (2) ncpumount, and (3) ncplogin programs in ncpfs
 2.2.6 do not properly create lock files, which allows local users
 to cause a denial of service (application failure) via unspecified
 vectors that trigger the creation of a /etc/mtab~ file that persists
 after the program exits (CVE-2010-0791).
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0790
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0791
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 f7a8ca8faffce840a6814724a9f4e13a  2008.0/i586/ipxutils-2.2.6-3.2mdv2008.0.i586.rpm
 e26483fd14e02674e71ad594181ed79e  2008.0/i586/libncpfs2.3-2.2.6-3.2mdv2008.0.i586.rpm
 9451cbbdd8249de6f9c6b2419ae747f9  2008.0/i586/libncpfs2.3-devel-2.2.6-3.2mdv2008.0.i586.rpm
 84d5f1ef0b99acc91bb24554f3f77ae1  2008.0/i586/ncpfs-2.2.6-3.2mdv2008.0.i586.rpm 
 5fefe503c4ae846c53e1311c9b7d0fd9  2008.0/SRPMS/ncpfs-2.2.6-3.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 317825e9ba230cb79948eabfffb909f3  2008.0/x86_64/ipxutils-2.2.6-3.2mdv2008.0.x86_64.rpm
 532c1b50f1e7e3c18a8e78c6d9a99674  2008.0/x86_64/lib64ncpfs2.3-2.2.6-3.2mdv2008.0.x86_64.rpm
 05509d44fa66199cce0e607f5f748ce8  2008.0/x86_64/lib64ncpfs2.3-devel-2.2.6-3.2mdv2008.0.x86_64.rpm
 755ee4bbf43040f15faeefad1d6b9bd1  2008.0/x86_64/ncpfs-2.2.6-3.2mdv2008.0.x86_64.rpm 
 5fefe503c4ae846c53e1311c9b7d0fd9  2008.0/SRPMS/ncpfs-2.2.6-3.2mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 df608af475e518bc672ec54080a71129  2009.0/i586/ipxutils-2.2.6-6.2mdv2009.0.i586.rpm
 bc02fbfe14425e3a3085c9b08c99ae1c  2009.0/i586/libncpfs2.3-2.2.6-6.2mdv2009.0.i586.rpm
 ee0c1b55e7d8135de3d904de32fffba4  2009.0/i586/libncpfs-devel-2.2.6-6.2mdv2009.0.i586.rpm
 32a63bfd400cd0a12cf2f98dbbb2fe37  2009.0/i586/ncpfs-2.2.6-6.2mdv2009.0.i586.rpm 
 c80af8183956c89533f5d29018a5da3f  2009.0/SRPMS/ncpfs-2.2.6-6.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 8e2466b981f678e0300c005d2891b727  2009.0/x86_64/ipxutils-2.2.6-6.2mdv2009.0.x86_64.rpm
 853cf68f0b74bb5338b4a59a2c851f3f  2009.0/x86_64/lib64ncpfs2.3-2.2.6-6.2mdv2009.0.x86_64.rpm
 784e732a2fc55020081a49f08860c0b4  2009.0/x86_64/lib64ncpfs-devel-2.2.6-6.2mdv2009.0.x86_64.rpm
 2c60654e5812e8b2bed23dd25b92a2e6  2009.0/x86_64/ncpfs-2.2.6-6.2mdv2009.0.x86_64.rpm 
 c80af8183956c89533f5d29018a5da3f  2009.0/SRPMS/ncpfs-2.2.6-6.2mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 550f4e8f2220a1f9897e8acf9c8aa35d  2009.1/i586/ipxutils-2.2.6-7.2mdv2009.1.i586.rpm
 99a731ac177a83950ec5d08a1a2f74cf  2009.1/i586/libncpfs2.3-2.2.6-7.2mdv2009.1.i586.rpm
 5ffd14de2ec5a3585967ca0bdcff5268  2009.1/i586/libncpfs-devel-2.2.6-7.2mdv2009.1.i586.rpm
 04232470e8c0206cf211d2bb991eb5f2  2009.1/i586/ncpfs-2.2.6-7.2mdv2009.1.i586.rpm 
 f9959c23aba2806c3f7fd3078b58d233  2009.1/SRPMS/ncpfs-2.2.6-7.2mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 11400b2d8f1e646ce3913d6a4f9370dc  2009.1/x86_64/ipxutils-2.2.6-7.2mdv2009.1.x86_64.rpm
 90c272182b6d9fb9fdc64dec5ae2a030  2009.1/x86_64/lib64ncpfs2.3-2.2.6-7.2mdv2009.1.x86_64.rpm
 66cfe5705b55b4c1aaa0907dabf77a91  2009.1/x86_64/lib64ncpfs-devel-2.2.6-7.2mdv2009.1.x86_64.rpm
 0ff7654b1c841d8a1fb9d4c45d808306  2009.1/x86_64/ncpfs-2.2.6-7.2mdv2009.1.x86_64.rpm 
 f9959c23aba2806c3f7fd3078b58d233  2009.1/SRPMS/ncpfs-2.2.6-7.2mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 f848b1bfb0d52e4dcdec0b9808ac509a  2010.0/i586/ipxutils-2.2.6-7.2mdv2010.0.i586.rpm
 54aa704c0b1af11e042dcd9672de3e25  2010.0/i586/libncpfs2.3-2.2.6-7.2mdv2010.0.i586.rpm
 93a2e667cd3543960897e35d2cb0cab8  2010.0/i586/libncpfs-devel-2.2.6-7.2mdv2010.0.i586.rpm
 1f8d2304c8140ef4a9f86c5f91dc2503  2010.0/i586/ncpfs-2.2.6-7.2mdv2010.0.i586.rpm 
 832c3cf3bd76b027e3551f21c42d4e63  2010.0/SRPMS/ncpfs-2.2.6-7.2mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 7a92ccdf00e1969312ceba039a383c5b  2010.0/x86_64/ipxutils-2.2.6-7.2mdv2010.0.x86_64.rpm
 090c7dfaa946377d3973e059133db67c  2010.0/x86_64/lib64ncpfs2.3-2.2.6-7.2mdv2010.0.x86_64.rpm
 b3157282b6c4a3b8d2e5c996a9dc48b4  2010.0/x86_64/lib64ncpfs-devel-2.2.6-7.2mdv2010.0.x86_64.rpm
 722201fa17838a7bbcf75afe9e51d0b9  2010.0/x86_64/ncpfs-2.2.6-7.2mdv2010.0.x86_64.rpm 
 832c3cf3bd76b027e3551f21c42d4e63  2010.0/SRPMS/ncpfs-2.2.6-7.2mdv2010.0.src.rpm

 Corporate 4.0:
 36221d2e2f7f7b6f1afaf8a0fbb4cc43  corporate/4.0/i586/ipxutils-2.2.6-1.2.20060mlcs4.i586.rpm
 04ed54c9ef53c7b7bc8d6c5bc82875ec  corporate/4.0/i586/libncpfs2.3-2.2.6-1.2.20060mlcs4.i586.rpm
 ffc910168a47678c9e26b8a999eebba1  corporate/4.0/i586/libncpfs2.3-devel-2.2.6-1.2.20060mlcs4.i586.rpm
 d62caa887b9a0afede029092cb94210c  corporate/4.0/i586/ncpfs-2.2.6-1.2.20060mlcs4.i586.rpm 
 ad5fc693c4b8099f793e60fd8e362497  corporate/4.0/SRPMS/ncpfs-2.2.6-1.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 010aac4bbd8b97be07f4cf95728aa73f  corporate/4.0/x86_64/ipxutils-2.2.6-1.2.20060mlcs4.x86_64.rpm
 dafdc2c37fd80aa4dd23e909cb443600  corporate/4.0/x86_64/lib64ncpfs2.3-2.2.6-1.2.20060mlcs4.x86_64.rpm
 82ddb2436bdf862367339606b2458373  corporate/4.0/x86_64/lib64ncpfs2.3-devel-2.2.6-1.2.20060mlcs4.x86_64.rpm
 2102a419baacc322e3323a2db9b7bd0c  corporate/4.0/x86_64/ncpfs-2.2.6-1.2.20060mlcs4.x86_64.rpm 
 ad5fc693c4b8099f793e60fd8e362497  corporate/4.0/SRPMS/ncpfs-2.2.6-1.2.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 67e97534bae7efeb19fbcc9903b6abc0  mes5/i586/ipxutils-2.2.6-6.2mdvmes5.i586.rpm
 9a40d5174ab91bbce961034c60708f15  mes5/i586/libncpfs2.3-2.2.6-6.2mdvmes5.i586.rpm
 5ae0613e36539f1be008969522dbaa95  mes5/i586/libncpfs-devel-2.2.6-6.2mdvmes5.i586.rpm
 30b0ec51a7ab456ecaeb3d98fc6ba292  mes5/i586/ncpfs-2.2.6-6.2mdvmes5.i586.rpm 
 c16bd63bb48549bbee38c14b280c5d54  mes5/SRPMS/ncpfs-2.2.6-6.2mdv2009.0.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 2ea07838c868cf99959b263831cfe51f  mes5/x86_64/ipxutils-2.2.6-6.2mdvmes5.x86_64.rpm
 28c1d5b37556e3143badbf296e6faf59  mes5/x86_64/lib64ncpfs2.3-2.2.6-6.2mdvmes5.x86_64.rpm
 5b697ab26fa6709fd6fb759c0893921e  mes5/x86_64/lib64ncpfs-devel-2.2.6-6.2mdvmes5.x86_64.rpm
 b9674e0cbbb6c61f711760fa05152d26  mes5/x86_64/ncpfs-2.2.6-6.2mdvmes5.x86_64.rpm 
 c16bd63bb48549bbee38c14b280c5d54  mes5/SRPMS/ncpfs-2.2.6-6.2mdv2009.0.src.rpm

 Multi Network Firewall 2.0:
 8024befbd43bcf81f84103753610bbb7  mnf/2.0/i586/ipxutils-2.2.6-0.3.M20mdk.i586.rpm
 d97f0d32ad39007d7b2c4634bc84fd27  mnf/2.0/i586/libncpfs2.3-2.2.6-0.3.M20mdk.i586.rpm
 027010fa612a861b59e7b2fb15d7b834  mnf/2.0/i586/libncpfs2.3-devel-2.2.6-0.3.M20mdk.i586.rpm
 4c0f378c6fcc6e2f44688d85435aa439  mnf/2.0/i586/ncpfs-2.2.6-0.3.M20mdk.i586.rpm 
 5a0d9c59bc8086de2bff5667368410e4  mnf/2.0/SRPMS/ncpfs-2.2.6-0.3.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLmRzKmqjQ0CJFipgRAj8yAKCMkOkncxrNGnvpL6G1/LalaXRotwCfSSd6
4PVYweKC3SBfXc+UzESlZvc=
=7niG
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ