[SECURITY] Fedora 9 Update: pam_mount-0.47-1.fc9

Thu Sep 11 17:17:03 UTC 2008

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-7976
2008-09-11 11:07:05
--------------------------------------------------------------------------------

Name        : pam_mount
Product     : Fedora 9
Version     : 0.47
Release     : 1.fc9
URL         : http://pam-mount.sourceforge.net/
Summary     : A PAM module that can mount volumes for a user session
Description :
This module is aimed at environments with central file servers that a
user wishes to mount on login and unmount on logout, such as
(semi-)diskless stations where many users can logon.

The module also supports mounting local filesystems of any kind the
normal mount utility supports, with extra code to make sure certain
volumes are set up properly because often they need more than just a
mount call, such as encrypted volumes. This includes SMB/CIFS, NCP,
davfs2, FUSE, losetup crypto, dm-crypt/cryptsetup and truecrypt.

If you intend to use pam_mount to protect volumes on your computer
using an encrypted filesystem system, please know that there are many
other issues you need to consider in order to protect your data.  For
example, you probably want to disable or encrypt your swap partition.
Don't assume a system is secure without carefully considering
potential threats.

--------------------------------------------------------------------------------
Update Information:

A security flaw in the pam_mount's handling of user defined volumes using the
'luserconf' option has been fixed in this update. The vulnerability allowed
users to arbitrarily mount filesystems at arbitrary locations.    More details
about this vulnerability can be found in the announcement message sent to the
pam-mount-user mailinglist at SourceForge: http://sourceforge.net/mailarchive/me
ssage.php?msg_name=alpine.LNX.1.10.0809042353120.17569%40fbirervta.pbzchgretzou.
qr    Upstream changelog (excluding the git shortlog) for versions 0.43-0.47:
- mount.crypt: fix option slurping (SF bug #2054323)  - properly handle simple
sgrp config items (Debian bug #493497)  - src: correct error check in run_lsof()
- conf: check that slash follows home tilde  - conf: wildcard inadvertently
matched root sometimes  - fix double-freeing the authentication token  - use ofl
instead of lsof/fuser  - kill-on-logout support (terminate processes that would
stand in the    way of unmounting)  - mount.crypt: auto-detect necessity for
running losetup  - mount.crypt: add missing null command to conform to sh syntax
(SF bug #2089446)  - conf: fix printing of strings when luser volume options
were not ok  - conf: re-add luserconf security checks  - add support for encfs
1.3.x (1.4.x already has been in for long)  - conf: add the "noroot" attribute
for <volume> to force mounting with    the unprivileged user account (required
for FUSE filesystems)  - replace fixed-size buffers and arrays with dynamic ones
(complete)    Note: This update also introduces a new version of libHX, which is
required by updated pam_mount.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Sep  5 2008 Till Maas <opensource at till.name> - 0.47-1
- Update to new version that includes a security fix:
  https://sourceforge.net/project/shownotes.php?release_id=624240
- Add lzma BR and unpack source manually
- Update libHX requirements
- add new binary
* Mon Jun 23 2008 Till Maas <opensource at till.name> - 0.41-2
- Add patch to fix <or> handling in config file, reference:
  Red Hat Bugzilla #448485 comment 9
  http://sourceforge.net/tracker/index.php?func=detail&aid=1974442&group_id=41452&atid=430593
  comment from 2008-06-19 10:29
* Tue Jun 17 2008 Till Maas <opensource till name> - 0.41-1
- Update to new version
* Wed Jun 11 2008 Till Maas <opensource till name> - 0.40-1
- Update to new version
- set make variable V for full compiler commandline
* Mon May  5 2008 Till Maas <opensource till name> - 0.35-1
- Update to new version
- Use $RPM_BUILD_ROOT instead of %{buildroot}
- Update description
- create and own %{_localstatedir}/run/pam_mount
* Sun Feb 24 2008 Till Maas <opensource till name> - 0.33-1
- update to new version
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #461464 - pam_mount: missing luserconf security checks
        https://bugzilla.redhat.com/show_bug.cgi?id=461464
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update pam_mount' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------