Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

RHEL 5 Low: RHSA-2012:0307-03 Util-Linux Security Fix Summary

red hat
Calendar Grey February 21, 2012
Scroller Redhat
A new release of util-linux addresses vulnerabilities and resolves various bugs, improving efficiency on Red Hat Enterprise Linux platforms.
An updated util-linux package that fixes multiple security issues, various bugs, and adds two enhancements is now available for Red Hat Enterprise Linux 5

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259

Summary

The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, util-linux contains the fdisk configuration tool and the login program.
Multiple flaws were found in the way the mount and umount commands performed mtab (mounted file systems table) file updates. A local, unprivileged user allowed to mount or unmount file systems could use these flaws to corrupt the mtab file and create a stale lock file, preventing other users from mounting and unmounting file systems. (CVE-2011-1675, CVE-2011-1677)
This update also fixes the following bugs:
* When the user logged into a telnet server, the login utility did not update the utmp database properly if the utility was executed from the telnetd daemon. This was due to telnetd not creating an appropriate entry in a utmp file before executing login. With this update, correct entries are created and the database is updated properly. (BZ#646300)
* Various options were not described on the blockdev(8) manual page. With this update, the blockdev(8) manual page includes all the relevant options. (BZ#650937)
* Prior to this update, the build process of the util-linux package failed in the po directory with the following error message: "@MKINSTALLDIRS@: No such file or directory". An upstream patch has been applied to address this issue, and the util-linux package now builds successfully. (BZ#677452)
* Previously, the ipcs(1) and ipcrm(1) manual pages mentioned an invalid option, "-b". With this update, only valid options are listed on those manual pages. (BZ#678407)
* Previously, the mount(8) manual page contained incomplete information about the ext4 and XFS file systems. With this update, the mount(8) manual page contains the missing information. (BZ#699639)
In addition, this update adds the following enhancements:
* Previously, if DOS mode was enabled on a device, the fdisk utility could report error messages similar to the following:
Partition 1 has different physical/logical beginnings (non-Linux?): phys=(0, 1, 1) logical=(0, 2, 7)
This update enables users to switch off DOS compatible mode (by specifying the "-c" option), and such error messages are no longer displayed. (BZ#678430)
* This update adds the "fsfreeze" command which halts access to a file system on a disk. (BZ#726572)
All users of util-linux are advised to upgrade to this updated package, which contains backported patches to correct these issues and add these enhancements.

References

https://access.redhat.com/security/cve/CVE-2011-1675 https://access.redhat.com/security/cve/CVE-2011-1677 https://access.redhat.com/security/updates/classification#low

Package List

Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
i386: util-linux-2.13-0.59.el5.i386.rpm util-linux-debuginfo-2.13-0.59.el5.i386.rpm
x86_64: util-linux-2.13-0.59.el5.x86_64.rpm util-linux-debuginfo-2.13-0.59.el5.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
i386: util-linux-2.13-0.59.el5.i386.rpm util-linux-debuginfo-2.13-0.59.el5.i386.rpm
ia64: util-linux-2.13-0.59.el5.ia64.rpm util-linux-debuginfo-2.13-0.59.el5.ia64.rpm
ppc: util-linux-2.13-0.59.el5.ppc.rpm util-linux-debuginfo-2.13-0.59.el5.ppc.rpm
s390x: util-linux-2.13-0.59.el5.s390x.rpm util-linux-debuginfo-2.13-0.59.el5.s390x.rpm
x86_64: util-linux-2.13-0.59.el5.x86_64.rpm util-linux-debuginfo-2.13-0.59.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package


Severity
low
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2012:0307-03
Product: Red Hat Enterprise Linux
Issue date: 2012-02-21
Keywords: fdisk fsfreeze blockdev ipc

Topic

An updated util-linux package that fixes multiple security issues, variousbugs, and adds two enhancements is now available for Red HatEnterprise Linux 5.The Red Hat Security Response Team has rated this update as having lowsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

Bugs Fixed

646300 - login doesn't update /var/run/utmp properly

650937 - blockdev man page missing information

677452 - util-linux fails to build with gettext-0.17

678407 - [RHEL 5] ipcs and ipcrm in wrong man section

695916 - CVE-2011-1675 util-linux: mount fails to anticipate RLIMIT_FSIZE

695924 - CVE-2011-1677 util-linux: umount may fail to remove /etc/mtab~ lock file

699639 - mount man page is missing support for ext4/xfs

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.