[Secure-testing-team] Bug#697464: mount/umount leak information about existence of folders
Jann Horn
jannhorn at googlemail.com
Sat Jan 5 16:20:37 UTC 2013
Package: mount
Version: 2.20.1-5.3
Severity: critical
Tags: security
Justification: root security hole
mount discloses information about folders not accessible for a user:
$ ls -ld /root/.ssh
ls: cannot access /root/.ssh: Permission denied
$ ls -ld /root/.foo
ls: cannot access /root/.foo: Permission denied
First variant:
$ mount --guess-fstype /root/.ssh/../../dev/sda1
ext4
$ mount --guess-fstype /root/.foo/../../dev/sda1
unknown
Second one:
$ mount /root/.ssh/../../dev/cdrom
mount: no medium found on /dev/sr0
$ mount /root/.foo/../../dev/cdrom
mount: can't find /root/.foo/../../dev/cdrom in /etc/fstab or /etc/mtab
These issues were, as far as I can see, fixed in the following upstream commits:
- 0377ef91270d06592a0d4dd009c29e7b1ff9c9b8
- 33c5fd0c5a774458470c86f9d318d8c48a9c9ccb
- 5ebbc3865d1e53ef42e5f121c41faab23dd59075
- cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f
However, the last two commits might have to be rewritten - I think that debian uses
mount-deprecated and those commits are for the new mount.
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.6.7 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages mount depends on:
ii libblkid1 2.20.1-5.3
ii libc6 2.13-37
ii libmount1 2.20.1-5.3
ii libselinux1 2.1.9-5
ii libsepol1 2.1.4-3
mount recommends no packages.
Versions of packages mount suggests:
ii nfs-common 1:1.2.6-3
-- no debconf information
More information about the Secure-testing-team
mailing list