Debian Bug report logs - #583908
CVE-2010-0296: GNU Glibc mntent Newline Processing Error Lets Local Users Gain Elevated Privileges

version graph

Package: libc6; Maintainer for libc6 is GNU Libc Maintainers <[email protected]>; Source for libc6 is src:glibc (PTS, buildd, popcon).

Reported by: Bernd Zeimetz <[email protected]>

Date: Mon, 31 May 2010 15:30:05 UTC

Severity: grave

Tags: security

Found in version glibc/2.7-18lenny2

Done: Aurelien Jarno <[email protected]>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], [email protected], [email protected], GNU Libc Maintainers <[email protected]>:
Bug#583908; Package libc6. (Mon, 31 May 2010 15:30:08 GMT) (full text, mbox, link).

Acknowledgement sent to Bernd Zeimetz <[email protected]>:
New Bug report received and forwarded. Copy sent to [email protected], [email protected], GNU Libc Maintainers <[email protected]>. (Mon, 31 May 2010 15:30:08 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Bernd Zeimetz <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: CVE-2010-0296: GNU Glibc mntent Newline Processing Error Lets Local Users Gain Elevated Privileges
Date: Mon, 31 May 2010 17:27:38 +0200
Package: libc6
Version: 2.7-18lenny2
Severity: grave
Tags: security

Hi,

unfortunately it is not really easy to find proper information about
this issue, especially since the same CVE number is mentaioned in a
Samba related bug (#572953). But as it seems it is possible to gain root
access by injecting newlines into a mount entry or trough a vulnerable
helper.

The fix mentioned in
http://securitytracker.com/alerts/2010/May/1024043.html
is at least missing in stable, I did not check testing/unstable.
Ubuntu released an USN on the 25th which fixes this bug and two other
CVEs: http://www.ubuntu.com/usn/usn-944-1

Cheers,

Bernd


--
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprints: 06C8 C9A2 EAAD E37E 5B2C BE93 067A AD04 C93B FF79
                   ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F

Added tag(s) pending. Request was from Aurelien Jarno <[email protected]> to [email protected]. (Fri, 04 Jun 2010 16:12:13 GMT) (full text, mbox, link).

Reply sent to Aurelien Jarno <[email protected]>:
You have taken responsibility. (Fri, 04 Jun 2010 18:30:06 GMT) (full text, mbox, link).

Notification sent to Bernd Zeimetz <[email protected]>:
Bug acknowledged by developer. (Fri, 04 Jun 2010 18:30:06 GMT) (full text, mbox, link).

Message #12 received at [email protected] (full text, mbox, reply):

From: Aurelien Jarno <[email protected]>
To: Bernd Zeimetz <[email protected]>, [email protected]
Subject: Re: Bug#583908: CVE-2010-0296: GNU Glibc mntent Newline Processing Error Lets Local Users Gain Elevated Privileges
Date: Fri, 4 Jun 2010 20:26:35 +0200
Version: eglibc/2.11.1-1

On Mon, May 31, 2010 at 05:27:38PM +0200, Bernd Zeimetz wrote:
> Package: libc6
> Version: 2.7-18lenny2
> Severity: grave
> Tags: security
> 
> Hi,
> 
> unfortunately it is not really easy to find proper information about
> this issue, especially since the same CVE number is mentaioned in a
> Samba related bug (#572953). But as it seems it is possible to gain root
> access by injecting newlines into a mount entry or trough a vulnerable
> helper.
> 
> The fix mentioned in
> http://securitytracker.com/alerts/2010/May/1024043.html
> is at least missing in stable, I did not check testing/unstable.
> Ubuntu released an USN on the 25th which fixes this bug and two other
> CVEs: http://www.ubuntu.com/usn/usn-944-1
> 

This bug has been fixed in eglibc 2.11.1-1

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
[email protected]                 http://www.aurel32.net

Bug archived. Request was from Debbugs Internal Request <[email protected]> to [email protected]. (Sat, 03 Jul 2010 07:30:48 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Sun Dec 28 02:04:34 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.