CVE-2011-2709

Priority
Medium
Description
libgssapi and libgssglue before 0.4 do not properly check privileges, which
allows local users to load untrusted configuration files and execute
arbitrary code via the GSSAPI_MECH_CONF environment variable, as
demonstrated using mount.nfs.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2709
http://www.openwall.com/lists/oss-security/2011/07/21/3
http://www.ubuntu.com/usn/usn-1612-1
Bugs
https://bugzilla.novell.com/show_bug.cgi?id=694598
https://bugzilla.redhat.com/show_bug.cgi?id=724005
Assigned-to
tyhicks
Package
Source: libgssglue (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):ignored (reached end-of-life)
Ubuntu 10.04 LTS (Lucid Lynx):released (0.1-4ubuntu0.1)
Ubuntu 11.04 (Natty Narwhal):released (0.1-4ubuntu1.1)
Ubuntu 11.10 (Oneiric Ocelot):released (0.3-1ubuntu1.1)
Ubuntu 12.04 LTS (Precise Pangolin):released (0.3-4ubuntu0.1)
Ubuntu 12.10 (Quantal Quetzal):not-affected (0.4-2)
More Information

Valid XHTML 1.0 Strict

Updated: 2012-10-15 18:14:25 UTC (commit 5923)