Date: Tue, 19 Jun 2018 09:59:53 +0200 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: Re: cantata: cantata-mounter D-Bus service local privilege escalation and other security issues > A) The mount target path check in mounter.cpp `mpOk()` is insufficient. > A regular user can this way mount a CIFS filesystem anywhere, and not > just beneath /home by passing relative path components. This was assigned CVE-2018-12559. > B) Arbitrary unmounts can be performed by regular users the same way. This was assigned CVE-2018-12560. > C) A regular user can inject additional mount options like file_mode= by > manipulating e.g. the domain parameter of the samba URL. This was assigned CVE-2018-12561. > D) The wrapper script 'mount.cifs.wrapper' uses the shell to forward the > arguments to the actual mount.cifs binary. The shell evaluates > wildcards which can also be injected like this: This was assigned CVE-2018-12562. Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ