CVE-2013-0157
CVSS2.1
发布时间 :2014-01-21 13:55:09
修订时间 :2014-01-22 15:26:30
NMCOPS    

[原文](a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists.


[CNNVD]util-linux Package ‘mount’和‘umount’信息泄露漏洞(CNNVD-201301-081)

        ‘util-linux’数据包中存在信息泄露漏洞。攻击者利用该漏洞获得潜在的敏感信息如存在的文件夹。获得的信息有助于发起进一步攻击。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-200 [信息暴露]

- CPE (受影响的平台与产品)

cpe:/a:kernel:util-linux:2.14.1
cpe:/a:kernel:util-linux:2.17.2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:21076RHSA-2013:0517: util-linux-ng security, bug fix and enhancement update (Low)
oval:org.mitre.oval:def:23653ELSA-2013:0517: util-linux-ng security, bug fix and enhancement update (Low)
oval:org.mitre.oval:def:27272DEPRECATED: ELSA-2013-0517 -- util-linux-ng security, bug fix and enhancement update (low)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0157
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0157
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201301-081
(官方数据源) CNNVD

- 其它链接及资源

https://bugzilla.redhat.com/show_bug.cgi?id=892330
(UNKNOWN)  CONFIRM  https://bugzilla.redhat.com/show_bug.cgi?id=892330
http://www.mandriva.com/security/advisories?name=MDVSA-2013:154
(UNKNOWN)  MANDRIVA  MDVSA-2013:154
http://rhn.redhat.com/errata/RHSA-2013-0517.html
(UNKNOWN)  REDHAT  RHSA-2013:0517
http://osvdb.org/88953
(UNKNOWN)  OSVDB  88953
http://marc.info/?l=oss-security&m=135749410312247&w=2
(UNKNOWN)  MLIST  [oss-security] 20130106 Re: CVE request: mount/umount leak information about existence of folders
http://bugs.debian.org/697464
(UNKNOWN)  CONFIRM  http://bugs.debian.org/697464

- 漏洞信息

util-linux Package ‘mount’和‘umount’信息泄露漏洞
信息泄露
2013-01-08 00:00:00 2013-01-08 00:00:00
本地  
        ‘util-linux’数据包中存在信息泄露漏洞。攻击者利用该漏洞获得潜在的敏感信息如存在的文件夹。获得的信息有助于发起进一步攻击。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.kernel.org/pub/linux/utils/util-linux/

- 漏洞信息 (F120443)

Red Hat Security Advisory 2013-0517-02 (PacketStormID:F120443)
2013-02-21 00:00:00
Red Hat  
advisory,local,info disclosure
linux,redhat
CVE-2013-0157
[点击下载]

Red Hat Security Advisory 2013-0517-02 - The util-linux-ng packages contain a large variety of low-level system utilities that are necessary for a Linux operating system to function. An information disclosure flaw was found in the way the mount command reported errors. A local attacker could use this flaw to determine the existence of files and directories they do not have access to. These updated util-linux-ng packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: util-linux-ng security, bug fix and enhancement update
Advisory ID:       RHSA-2013:0517-02
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-0517.html
Issue date:        2013-02-21
CVE Names:         CVE-2013-0157 
=====================================================================

1. Summary:

Updated util-linux-ng packages that fix one security issue, several bugs,
and add various enhancements are now available for Red Hat Enterprise
Linux 6.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

3. Description:

The util-linux-ng packages contain a large variety of low-level system
utilities that are necessary for a Linux operating system to function.

An information disclosure flaw was found in the way the mount command
reported errors. A local attacker could use this flaw to determine the
existence of files and directories they do not have access to.
(CVE-2013-0157)

These updated util-linux-ng packages include numerous bug fixes and
enhancements. Space precludes documenting all of these changes in this
advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical
Notes, linked to in the References, for information on the most significant
of these changes.

All users of util-linux-ng are advised to upgrade to these updated
packages, which contain backported patches to correct these issues and add
these enhancements.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

679833 - [RFE] tailf should support `-n 0`
783514 - Documentation for default barrier setting for EXT3 filesystems in mount manpage is wrong
790728 - blkid ignores swap UUIDs if the first byte is a zero byte
818621 - lsblk should not open device it prints info about
839281 - manpage: mount option inode_readahead for ext4 should be inode_readahead_blks
892330 - CVE-2013-0157 util-linux: mount folder existence information disclosure

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/util-linux-ng-2.17.2-12.9.el6.src.rpm

i386:
libblkid-2.17.2-12.9.el6.i686.rpm
libuuid-2.17.2-12.9.el6.i686.rpm
util-linux-ng-2.17.2-12.9.el6.i686.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.i686.rpm
uuidd-2.17.2-12.9.el6.i686.rpm

x86_64:
libblkid-2.17.2-12.9.el6.i686.rpm
libblkid-2.17.2-12.9.el6.x86_64.rpm
libuuid-2.17.2-12.9.el6.i686.rpm
libuuid-2.17.2-12.9.el6.x86_64.rpm
util-linux-ng-2.17.2-12.9.el6.i686.rpm
util-linux-ng-2.17.2-12.9.el6.x86_64.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.i686.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.x86_64.rpm
uuidd-2.17.2-12.9.el6.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/util-linux-ng-2.17.2-12.9.el6.src.rpm

i386:
libblkid-devel-2.17.2-12.9.el6.i686.rpm
libuuid-devel-2.17.2-12.9.el6.i686.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.i686.rpm

x86_64:
libblkid-devel-2.17.2-12.9.el6.i686.rpm
libblkid-devel-2.17.2-12.9.el6.x86_64.rpm
libuuid-devel-2.17.2-12.9.el6.i686.rpm
libuuid-devel-2.17.2-12.9.el6.x86_64.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.i686.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/util-linux-ng-2.17.2-12.9.el6.src.rpm

x86_64:
libblkid-2.17.2-12.9.el6.i686.rpm
libblkid-2.17.2-12.9.el6.x86_64.rpm
libuuid-2.17.2-12.9.el6.i686.rpm
libuuid-2.17.2-12.9.el6.x86_64.rpm
util-linux-ng-2.17.2-12.9.el6.i686.rpm
util-linux-ng-2.17.2-12.9.el6.x86_64.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.i686.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.x86_64.rpm
uuidd-2.17.2-12.9.el6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/util-linux-ng-2.17.2-12.9.el6.src.rpm

x86_64:
libblkid-devel-2.17.2-12.9.el6.i686.rpm
libblkid-devel-2.17.2-12.9.el6.x86_64.rpm
libuuid-devel-2.17.2-12.9.el6.i686.rpm
libuuid-devel-2.17.2-12.9.el6.x86_64.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.i686.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/util-linux-ng-2.17.2-12.9.el6.src.rpm

i386:
libblkid-2.17.2-12.9.el6.i686.rpm
libblkid-devel-2.17.2-12.9.el6.i686.rpm
libuuid-2.17.2-12.9.el6.i686.rpm
libuuid-devel-2.17.2-12.9.el6.i686.rpm
util-linux-ng-2.17.2-12.9.el6.i686.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.i686.rpm
uuidd-2.17.2-12.9.el6.i686.rpm

ppc64:
libblkid-2.17.2-12.9.el6.ppc.rpm
libblkid-2.17.2-12.9.el6.ppc64.rpm
libblkid-devel-2.17.2-12.9.el6.ppc.rpm
libblkid-devel-2.17.2-12.9.el6.ppc64.rpm
libuuid-2.17.2-12.9.el6.ppc.rpm
libuuid-2.17.2-12.9.el6.ppc64.rpm
libuuid-devel-2.17.2-12.9.el6.ppc.rpm
libuuid-devel-2.17.2-12.9.el6.ppc64.rpm
util-linux-ng-2.17.2-12.9.el6.ppc.rpm
util-linux-ng-2.17.2-12.9.el6.ppc64.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.ppc.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.ppc64.rpm
uuidd-2.17.2-12.9.el6.ppc64.rpm

s390x:
libblkid-2.17.2-12.9.el6.s390.rpm
libblkid-2.17.2-12.9.el6.s390x.rpm
libblkid-devel-2.17.2-12.9.el6.s390.rpm
libblkid-devel-2.17.2-12.9.el6.s390x.rpm
libuuid-2.17.2-12.9.el6.s390.rpm
libuuid-2.17.2-12.9.el6.s390x.rpm
libuuid-devel-2.17.2-12.9.el6.s390.rpm
libuuid-devel-2.17.2-12.9.el6.s390x.rpm
util-linux-ng-2.17.2-12.9.el6.s390.rpm
util-linux-ng-2.17.2-12.9.el6.s390x.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.s390.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.s390x.rpm
uuidd-2.17.2-12.9.el6.s390x.rpm

x86_64:
libblkid-2.17.2-12.9.el6.i686.rpm
libblkid-2.17.2-12.9.el6.x86_64.rpm
libblkid-devel-2.17.2-12.9.el6.i686.rpm
libblkid-devel-2.17.2-12.9.el6.x86_64.rpm
libuuid-2.17.2-12.9.el6.i686.rpm
libuuid-2.17.2-12.9.el6.x86_64.rpm
libuuid-devel-2.17.2-12.9.el6.i686.rpm
libuuid-devel-2.17.2-12.9.el6.x86_64.rpm
util-linux-ng-2.17.2-12.9.el6.i686.rpm
util-linux-ng-2.17.2-12.9.el6.x86_64.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.i686.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.x86_64.rpm
uuidd-2.17.2-12.9.el6.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/util-linux-ng-2.17.2-12.9.el6.src.rpm

i386:
libblkid-2.17.2-12.9.el6.i686.rpm
libblkid-devel-2.17.2-12.9.el6.i686.rpm
libuuid-2.17.2-12.9.el6.i686.rpm
libuuid-devel-2.17.2-12.9.el6.i686.rpm
util-linux-ng-2.17.2-12.9.el6.i686.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.i686.rpm
uuidd-2.17.2-12.9.el6.i686.rpm

x86_64:
libblkid-2.17.2-12.9.el6.i686.rpm
libblkid-2.17.2-12.9.el6.x86_64.rpm
libblkid-devel-2.17.2-12.9.el6.i686.rpm
libblkid-devel-2.17.2-12.9.el6.x86_64.rpm
libuuid-2.17.2-12.9.el6.i686.rpm
libuuid-2.17.2-12.9.el6.x86_64.rpm
libuuid-devel-2.17.2-12.9.el6.i686.rpm
libuuid-devel-2.17.2-12.9.el6.x86_64.rpm
util-linux-ng-2.17.2-12.9.el6.i686.rpm
util-linux-ng-2.17.2-12.9.el6.x86_64.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.i686.rpm
util-linux-ng-debuginfo-2.17.2-12.9.el6.x86_64.rpm
uuidd-2.17.2-12.9.el6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-0157.html
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Technical_Notes/util-linux-ng.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRJcLAXlSAg2UNWIIRApVzAJ0fshYq0oeOrw3dl/TjqHLja4TRRwCgpnRW
+V9KMgzKYmeGx/nj9jYsM7Q=
=ghEC
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F121441)

Mandriva Linux Security Advisory 2013-154 (PacketStormID:F121441)
2013-04-29 00:00:00
Mandriva  mandriva.com
advisory,local,info disclosure
linux,mandriva
CVE-2013-0157
[点击下载]

Mandriva Linux Security Advisory 2013-154 - An information disclosure flaw was found in the way the mount command reported errors. A local attacker could use this flaw to determine the existence of files and directories they do not have access to. Additionally for Mandriva Enterprise Server 5 a patch was added to support a new --no-canonicalize switch for mount to support the fix for in fuse. The updated packages have been patched to correct these issues.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:154
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : util-linux
 Date    : April 29, 2013
 Affected: Business Server 1.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in util-linux:
 
 An information disclosure flaw was found in the way the mount command
 reported errors. A local attacker could use this flaw to determine
 the existence of files and directories they do not have access to
 (CVE-2013-0157).
 
 Additionally for Mandriva Enterprise Server 5 a patch was added to
 support a new --no-canonicalize switch for mount to support the fix
 for CVE-2010-3879 in fuse.
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0157
 https://bugzilla.redhat.com/show_bug.cgi?id=892330
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 564d206bc3fbe205b513215114bf00b8  mes5/i586/util-linux-ng-2.14.1-4.5mdvmes5.2.i586.rpm 
 f6419cfdb234ef90bb55383bf794075b  mes5/SRPMS/util-linux-ng-2.14.1-4.5mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 04ee13c6ade3dc2db9f082a6967605b1  mes5/x86_64/util-linux-ng-2.14.1-4.5mdvmes5.2.x86_64.rpm 
 f6419cfdb234ef90bb55383bf794075b  mes5/SRPMS/util-linux-ng-2.14.1-4.5mdvmes5.2.src.rpm

 Mandriva Business Server 1/X86_64:
 021cf6fa62c0ed819ed207f92ed98e15  mbs1/x86_64/lib64blkid1-2.21.1-2.1.mbs1.x86_64.rpm
 b6045e31d00919d285513eac4089afaf  mbs1/x86_64/lib64blkid-devel-2.21.1-2.1.mbs1.x86_64.rpm
 e1b3aedae059e29a78f4a17a4b06bca6  mbs1/x86_64/lib64mount1-2.21.1-2.1.mbs1.x86_64.rpm
 7b80e099385e85cdb34671433f4a27a1  mbs1/x86_64/lib64mount-devel-2.21.1-2.1.mbs1.x86_64.rpm
 9822cd41d625a3f14f91194453993589  mbs1/x86_64/lib64uuid1-2.21.1-2.1.mbs1.x86_64.rpm
 2a4331643cc7d622b99ced61fef1599a  mbs1/x86_64/lib64uuid-devel-2.21.1-2.1.mbs1.x86_64.rpm
 e6a33fee978e7fa5340ae8c45b084e69  mbs1/x86_64/util-linux-2.21.1-2.1.mbs1.x86_64.rpm
 4c13d168b7923163c7dcd2ede53d8c11  mbs1/x86_64/uuidd-2.21.1-2.1.mbs1.x86_64.rpm 
 db4999c92ef86204f57700e4b8d75a36  mbs1/SRPMS/util-linux-2.21.1-2.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRfj3EmqjQ0CJFipgRAsOFAKDZp23ybSNNt0y+hVD6Oy1KRELUqACgxKH1
i/UZjJmC+oXOiYghpZMY7r0=
=lMrO
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F126680)

Gentoo Linux Security Advisory 201405-15 (PacketStormID:F126680)
2014-05-19 00:00:00
Gentoo  security.gentoo.org
advisory,denial of service,vulnerability
linux,gentoo
CVE-2011-1675,CVE-2011-1676,CVE-2011-1677,CVE-2013-0157
[点击下载]

Gentoo Linux Security Advisory 201405-15 - Multiple vulnerabilities have been found in util-linux, the worst of which may lead to Denial of Service. Versions less than 2.22.2 are affected.

Content-Type: multipart/alternative;






- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201405-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: util-linux: Multiple vulnerabilities
     Date: May 18, 2014
     Bugs: #359759, #450740
       ID: 201405-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in util-linux, the worst of
which may lead to Denial of Service.

Background
==========

util-linux is a suite of Linux programs including mount and umount,
programs used to mount and unmount filesystems.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  sys-apps/util-linux          < 2.22.2                  >= 2.22.2 

Description
===========

Multiple vulnerabilities have been discovered in util-linux. Please
review the CVE identifiers referenced below for details.

Impact
======

A local attacker may be able to cause a Denial of Service condition,
trigger corruption of /etc/mtab, obtain sensitive information, or have
other unspecified impact.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All util-linux users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=sys-apps/util-linux-2.22.2"

References
==========

[ 1 ] CVE-2011-1675
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1675
[ 2 ] CVE-2011-1676
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1676
[ 3 ] CVE-2011-1677
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1677
[ 4 ] CVE-2013-0157
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0157

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201405-15.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
    

- 漏洞信息

88953
Debian Linux mount / umount Privileged Directory Enumeration
Local Access Required Information Disclosure
Loss of Confidentiality Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

Debian Linux contains a flaw that may lead to unauthorized disclosure of potentially sensitive information. The issue is due to an error in the mount and unmount commands and may allow a local attacker to enumerate privileged directories.

- 时间线

2013-01-05 Unknow
2013-01-05 Unknow

- 解决方案

OSVDB is not currently aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

util-linux Package 'mount' and 'umount' Information Disclosure Vulnerability
Design Error 57168
No Yes
2013-01-07 12:00:00 2013-04-29 01:51:00
Jann Horn

- 受影响的程序版本

Red Hat Enterprise Linux Workstation 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux HPC Node Optional 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Desktop Optional 6
Red Hat Enterprise Linux Desktop 6
Oracle Enterprise Linux 6.2
Oracle Enterprise Linux 6
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
CentOS CentOS 6
Avaya Aura Experience Portal 6.0
+ Avaya Communication Manager Server DEFINITY Server SI/CS
+ Avaya Communication Manager Server S8100
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8700

- 漏洞讨论

The 'util-linux' package is prone to an information-disclosure vulnerability.



Attackers can exploit this issue to obtain potentially sensitive information such as the existence of folders. Information obtained may aid in launching further attacks.

- 漏洞利用

An attacker requires local interactive access to an affected computer to exploit.

- 解决方案

Updates are available. Please see the references for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站