—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

Das Modul pam_mount verwendet die Bibliothek libHX.

CVE-2010-2947 – Buffer Overflow Schwachstelle in der Funktion HX_split()

In der Bibliothek libHX wird in der Funktion HX_split() (string.c) die
Anzahl der uebergebenen Werte nicht ausreichend ueberprueft. Durch die
Uebergabe von weniger Werten als erwartet kann ein Buffer Overflow auf
dem Heap ausgeloest werden. Ein entfernter Angreifer kann diese
Schwachstelle ausnutzen, um beliebige Befehle mit den Rechten des
Benutzers oder des Dienstes auszufuehren, der die Bibliothek libHX
verwendet.

Betroffen sind die folgenden Software Pakete und Plattformen:

Pakete libHX, pam_mount

Fedora 14

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Detlev O. Matthies

– —

Detlev O. Matthies, M.Sc. (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

– ——————————————————————————–
Fedora Update Notification
FEDORA-2010-12950
2010-08-17 19:33:34
– ——————————————————————————–

Name : pam_mount
Product : Fedora 14
Version : 2.5
Release : 1.fc14
URL : http://pam-mount.sourceforge.net/
Summary : A PAM module that can mount volumes for a user session
Description :
This module is aimed at environments with central file servers that a
user wishes to mount on login and unmount on logout, such as
(semi-)diskless stations where many users can logon.

The module also supports mounting local filesystems of any kind the
normal mount utility supports, with extra code to make sure certain
volumes are set up properly because often they need more than just a
mount call, such as encrypted volumes. This includes SMB/CIFS, NCP,
davfs2, FUSE, losetup crypto, dm-crypt/cryptsetup and truecrypt.

If you intend to use pam_mount to protect volumes on your computer
using an encrypted filesystem system, please know that there are many
other issues you need to consider in order to protect your data. For
example, you probably want to disable or encrypt your swap partition.
Don’t assume a system is secure without carefully considering
potential threats.

– ——————————————————————————–
Update Information:

Update to libHX 3.6 fixing a buffer overflow in HX_split():

* http://libhx.git.sourceforge.net/git/gitweb.cgi?p=libhx/libhx;a=commitdiff;h=904a46f90d

pam_mount v2.5 (August 10 2010)
===============================
Changes:
– – mount.crypt: fix incorrect processing of binary files in keyfile passthrough
– – call mount.crypt by means of mount -t crypt (selinux), same for umount
– – reorder the default path to search in /usr/local first, then /usr, /
– – config: add missing fd0ssh command to restore volumes using ssh
– – ofl is now run as a separate process (selinux policy simplification)

libHX v3.6 (August 16 2010)
===========================
Fixed:
– – bitmap: set/clear/test had no effect due to wrong type selection
– – bitmap: avoid left-shift larger than type on 64-bit
– – string: fixed buffer overflow in HX_split when too few fields were present in the input

libHX 3.5 (August 01 2010)
==========================
Fixed:
– – format2: failure to skip escaped char in “%(echo foo\ bar)” was corrected
– – proc: properly check for HXPROC_STDx–HXPROC_STDx_NULL overlap
– – strquote: do not cause allocation with invalid format numbers
Enhancements:
– – format2: add the %(exec) function
– – format2: add the %(shell) function
– – format2: security feature for %(exec) and %(shell)
– – format2: add the %(snl) function
– – string: HX_strquote gained HXQUOTE_LDAPFLT (LDAP search filter) support
– – string: HX_strquote gained HXQUOTE_LDAPRDN (LDAP relative DN) support
Changes:
– – format1: removed older formatter in favor of format2
– – format2: add check for empty key
– – format2: function-specific delimiters
– – format2: do nest-counting even with normal parentheses
– – format2: check for zero-argument function calls
– – hashmap: do not needlessy change TID when no reshape was done
– – string: HX_basename (the fast variant) now recognizes the root directory
– – string: HX_basename now returns the trailing component with slashes instead of everything after the last slash (which may have been nothing)

– ——————————————————————————–
ChangeLog:

* Mon Aug 16 2010 Till Maas – 2.5-1
– – Update to lastest release
– – Update libHX dependency
– – remove upstreamed patches
– – do not package pam_mount.txt (RH #615714)
– ——————————————————————————–
References:

[ 1 ] Bug #625866 – CVE-2010-2947 libHX: buffer overrun in HX_split()
https://bugzilla.redhat.com/show_bug.cgi?id=625866
– ——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update pam_mount’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
– ——————————————————————————–

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkzK39sACgkQWmhIvjFb90WECACgjoQJXNFHn1dzqR2C/UaMvf2T
ULsAoIMhG413BKG5/pPbwuzz2sR3ilq0
=Bt9t
—–END PGP SIGNATURE—–