Bugzilla – Bug 594263
VUL-1: CVE-2010-0296: glibc improper escaping of certain characters
Last modified: 2019-05-01 15:19:20 UTC
Your friendly security team received the following report via vendor-sec. Please respond ASAP. This issue is not public yet, please keep any information about it inside SUSE. Note that build.opensuse.org *cannot* be used to prepare embargoed updates. I somehow overlooked that yesterday, CRD today. ------------------------------------------------------------------------------ Date: Tue, 06 Apr 2010 16:40:27 +0200 From: Jan Lieskovsky <jlieskov@redhat.com> Subject: Re: [vendor-sec] Embargoed security issue in glibc -- CVE-2010-0296 -- improper escaping of certain character in encode_name() Glibc background: ----------------- The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, the Linux system cannot function properly. CVE-2010-0296 flaw: ------------------- Dan Rosenberg found that "ncpmount" and "mount.cifs" failed to properly sanitize provided mountpoint directory names (specifically, special characters such as newlines were not stripped). An attacker could create a directory with newline characters in its name and issue an ncpmount / mount.cifs command to mount to that directory, allowing them to corrupt /etc/mtab and potentially add unauthorized mounting options for other devices. Note: ----- This flaw to be exploited requires "ncpmount" and "mount.cifs" binaries to be equipped with the setuid root attribute. Later Jeff Layton realized, this is not only ncpmount / mount.cifs specific issue, but rather more common glibc issue -- deficiency in the way glibc's encode_name() macro, escaped "\n" sequence: http://www.loongson.cn/svn/toolchain-gs/trunk/glibc-2.3.6/misc/mntent_r.c It escapes "\n" properly when called via shell, i.e: $ mkdir "testline1\ntestline2" $ cd testline1\\ntestline2/ (that's ok) but fails to do that, when "mkdir (2)" is called from C, Perl, etc. Flaw patch details: ------------------- This issue was already addressed as CVE-2010-0547 for mount.cifs: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547 and within the CVE-2009-3297 ncpfs "ncpfs-2.2.6.full.patch" patch by Vitezslav Crhonek: [2] http://seclists.org/fulldisclosure/2010/Mar/122 [3] http://seclists.org/fulldisclosure/2010/Mar/att-122/ncpfs-2_2_6_full.patch (the "static int check_name(const char *name)" routine). Though due the fact, there still might be some setuid root enabled binaries, with capability to edit /etc/mtab file on the system and prone to this flaw, a dedicated CVE identifier of CVE-2010-0296 has been assigned for the glibc's encode_name() macro issue. Patch from Jeff Layton: ----------------------- See attached "0001-addmntent-handle-newlines-correctly-in-encode_name-m.patch". PoC by Dan Rosenberg: -------------------- $ cat mk.c int main() { mkdir("testline3\ntestline4"); } $ gcc mk.c -o mk $ ./mk $ cd 'testline3 testline4'/ $ mount.cifs / ncpmount service 'testline3 testline4'/ $ cat /etc/mtab Result: ------- On vulnerable glibc packages "testline3\ntestline4" mount point /etc/mtab record is split into two rows. Once patch from Jeff is applied, "\n" is properly escaped. Adjust above PoC to contain something more meaningful, than just "testline3\ntestline4", is left as an exercise. CVE identifier: CVE identifier of CVE-2010-0296 has been assigned to this. --------------- Coordinated Release Date: Wednesday, 2010-04-07 ------------------------- Credit: ------- ncpmount / mount.cifs issue discovered by Dan Rosenberg, generalized to glibc issue by Jeff Layton.
(public in the meantime)
The SWAMPID for this issue is 34336. This issue was rated as moderate. Please submit fixed packages as soon as possible. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/34336
Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-64bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-x86, glibc-x86, nscd Products: SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
this apparently needs to be fixed for SLE11-GA as well.
Update released for: glibc, glibc-devel, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-profile, nscd, timezone Products: Novell-Linux-POS 9 (i386) Open-Enterprise-Server 9 (i386) SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)
Fixes have been submitted everwhere now.
Update released for: glibc, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-obsolete, glibc-profile, nscd Products: openSUSE 11.1 (debug, i586, i686, ppc, ppc64, x86_64)
Update released for: glibc, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-debuginfo, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-debuginfo, glibc-obsolete, glibc-obsolete-debuginfo, glibc-profile, nscd, nscd-debuginfo Products: openSUSE 11.2 (debug, i586, i686, x86_64)
Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-64bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-x86, glibc-x86, nscd Products: SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11 (i386, x86_64) SLE-SDK 11 (i386, x86_64) SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)
Update released for: glibc, glibc-32bit, glibc-64bit, glibc-dceext, glibc-dceext-32bit, glibc-dceext-64bit, glibc-dceext-devel, glibc-dceext-x86, glibc-debuginfo, glibc-devel, glibc-devel-32bit, glibc-devel-64bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-64bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-64bit, glibc-profile-x86, glibc-x86, nscd Products: SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP3 (i386, x86_64) SLE-SAP-APL 10-SP3 (x86_64) SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-64bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-x86, glibc-x86, nscd Products: SLE-DEBUGINFO 11 (ppc64) SLE-SERVER 11 (ppc64)
Update released for: glibc, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-obsolete, glibc-profile, nscd Products: SUSE-MOBLIN 2.0 (i386) SUSE-MOBLIN 2.0-DEBUG (i386)
Update released for: glibc, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-obsolete, glibc-profile, nscd Products: SUSE-MOBLIN 2.1 (i386) SUSE-MOBLIN 2.1-DEBUG (i386)
This is an autogenerated message for OBS integration: This bug (594263) was mentioned in https://build.opensuse.org/request/show/51396 11.1 / glibc https://build.opensuse.org/request/show/51429 11.2:Test / glibc