| Summary: | ncpfs new security issues CVE-2011-1679 and CVE-2011-1680 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| Whiteboard: | mga2-64-OK, mga1-64-OK | ||
| Source RPM: | ncpfs-2.2.6-10.mga1.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-05-29 17:24:28 CEST
Am I correct in understanding that testing this will require access to a Novel Netware server? CC:
(none) =>
davidwhodgins (In reply to comment #1) > Am I correct in understanding that testing this will require access to > a Novel Netware server? Unless there's some way to emulate Netware file sharing on Linux, I believe so. I actually used ncpfs 10 years ago to access my student folder at the university I was at, back when the whole state government used Netware. I don't know if anybody still uses it now. I'm not sure how QA is really supposed to test this. I suppose you could ask on the mageia-discuss list if anyone still uses this, but I'd be surprised to find anyone. I'll ask on the general discussion list, and the usenet newsgroup. If we don't get anyone with access to a netware server to help testing, within a few days, the only testing we can do, is to ensure the packages install without errors, and will the update will be validated based on that. If someone can confirm the update installs ok on x86-64, I think we should go ahead and validate this one. I'd rather have a user get a possibly broken update, then to leave them with a known insecure system. I'll also suggest obsoleting this package for Mageia 3, unless we have a user of Novell Netware, who is willing to help with future qa testing of the ncpfs package. Tested x86_64 MGA2 Installed from release then installed the update candidate. It seems to have a versioned require on the lib as that was pulled in too. Tried a few commands from $ urpmf ncpfs | grep bin $ urpmf ipxutils | grep bin but without any success. ipxdump <number> seemed to listen. Others complained of unknown user. Tested a few with --help or -h and they were able to produce their very limited help. I agree with you Dave that without the proper equipment we can do little more to test this. Unless there are users willing to test then very basic checks are all we can do. I'll check mga1 later Whiteboard:
(none) =>
mga2-64-OK Tested in the same way mga1 x86_64 with the same results. If you've completed i586 Dave we can validate these two. Whiteboard:
mga2-64-OK =>
mga2-64-OK, mga1-64-OK Validating the update. Could someone from the sysadmin team push the Mageia 2 srpm ncpfs-2.2.6-11.1.mga2.src.rpm from Core Updates Testing to Core updates, and the Mageia 1 srpm ncpfs-2.2.6-11.1.mga1.src.rpm from Core Updates Testing to Core updates. Advisory: Updated ncpfs packages fix security vulnerabilities: ncpfs 2.2.6 and earlier attempts to use (1) ncpmount to append to the /etc/mtab file and (2) ncpumount to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089 (CVE-2011-1679). ncpmount in ncpfs 2.2.6 and earlier does not remove the /etc/mtab~ lock file after a failed attempt to add a mount entry, which has unspecified impact and local attack vectors (CVE-2011-1680). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1679 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1680 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:084 https://bugs.mageia.org/show_bug.cgi?id=6153 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0112 Status:
NEW =>
RESOLVED |