694598 – (CVE-2011-2709) VUL-0: CVE-2011-2709: libgssglue / libgssapi untrusted input dlopen()

Bug 694598 (CVE-2011-2709) - VUL-0: CVE-2011-2709: libgssglue / libgssapi untrusted input dlopen()

Summary: VUL-0: CVE-2011-2709: libgssglue / libgssapi untrusted input dlopen()

Status:	RESOLVED FIXED

Alias:	CVE-2011-2709

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2011-06-03
Assignee:	Marcus Meissner
QA Contact:	E-mail List

URL:
Whiteboard:	maint:released:sle10-sp4:41155 maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2011-05-18 14:31 UTC by Sebastian Krahmer
Modified:	2013-07-29 09:00 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2011-05-18 14:31:48 UTC

libgssglue, as linked against the suid mount.nfs is using
getenv("GSSAPI_MECH_CONF") in its initialization functions and
parsing that file subsequently. It used dlopen() on the resulting input,
therefore, via mount.nfs code as root can be executed, depending
on the setup (users must be allowed to mount a NFS share).

libgssglue might be used inside other +s programs as well,
so mount.nfs is not the only vector.

While fixing this for suids, we also need to ensure that fscaps
are also honored.

Comment 1 Thomas Biege 2011-05-23 08:16:57 UTC

ignore: p5->p3 mass change

Comment 2 Swamp Workflow Management 2011-05-27 13:00:34 UTC

The SWAMPID for this issue is 41150.
This issue was rated as important.
Please submit fixed packages until 2011-06-03.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 3 Marcus Meissner 2011-05-27 13:32:01 UTC

library was called libgssapi in sles10 times, same flaw

Comment 4 Marcus Meissner 2011-05-27 13:47:33 UTC

submitted sle10 + sle11 packages + patchinfos.
opensuse 11.3 and 11.4 will be done when public.

Comment 5 Thomas Biege 2011-06-24 12:04:32 UTC

released

Comment 6 Swamp Workflow Management 2011-06-24 15:38:17 UTC

Update released for: libgssapi
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)

Comment 7 Swamp Workflow Management 2011-06-24 16:15:49 UTC

Update released for: libgssglue, libgssglue-devel, libgssglue1
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

Comment 8 Sebastian Krahmer 2011-07-25 06:52:47 UTC

CVE-2011-2709

Comment 9 Bernhard Wiedemann 2013-07-29 09:00:16 UTC

This is an autogenerated message for OBS integration:
This bug (694598) was mentioned in
https://build.opensuse.org/request/show/184581 Factory / libgssglue