LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

nfs-utils: user-controlled /etc/mtab corruption

Package(s):nfs-utils CVE #(s):CVE-2011-1749
Created:July 14, 2011 Updated:March 22, 2012
Description:

From the Pardus advisory:

It was found that mount.nfs suffers from the same flaw as other mount helpers (see CVE-2011-1089). Instead of using addmntent(), nfs-utils implements its own similar function (nfs_addmntent()) which also fails to anticipate whether resource limits would interfere with correctly writing to /etc/mtab. A local user could use this to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value.

Alerts:
Mandriva MDVSA-2011:186 2011-12-12
Scientific Linux SL-nfs--20111206 2011-12-06
Red Hat RHSA-2011:1534-03 2011-12-06
openSUSE openSUSE-SU-2011:0747-1 2011-07-19
Pardus 2011-98 2011-07-14
Red Hat RHSA-2012:0310-03 2012-02-21
Oracle ELSA-2012-0310 2012-03-07
Scientific Linux SL-nfs--20120321 2012-03-21
(Log in to post comments)

nfs-utils: user-controlled /etc/mtab corruption

Posted Jul 21, 2011 9:26 UTC (Thu) by zuki (subscriber, #41808) [Link]

/etc/mtab? Shouldn't that be a link to /proc/self/mounts anyway?

nfs-utils: user-controlled /etc/mtab corruption

Posted Jul 28, 2011 12:49 UTC (Thu) by nix (subscriber, #2304) [Link]

Until very recently that broke user mounts, quotas, and much else. (Of course, *not* using /proc/self/mounts breaks chroots, pam_namespace and much else. What fun.)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds