Mandriva Linux Security Advisory : pam_mount (MDVSA-2008:208-1)
Medium Nessus Plugin ID 37569
SynopsisThe remote Mandriva Linux host is missing a security update.
Descriptionpam_mount 0.10 through 0.45, when luserconf is enabled, does not verify mountpoint and source ownership before mounting a user-defined volume, which allows local users to bypass intended access restrictions via a local mount.
The updated packages have been patched to fix the issue.
The fix for CVE-2008-3970 uncovered crashes in the code handling the 'allow', 'deny', and 'require' options in pam_mount-0.33, released for Mandriva Linux 2008 Spring. Also, the verification of the allowed mount options ('allow' configuration directive) was inverted in pam_mount-0.33.
This update fixes these issues.
SolutionUpdate the affected pam_mount package.