Vulnerability Description
libgssapi and libgssglue before 0.4 do not properly check privileges, which allows local users to load untrusted configuration files and execute arbitrary code via the GSSAPI_MECH_CONF environment variable, as demonstrated using mount.nfs.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Umich | Libgssglue | <= 0.3 |
| Umich | Libgssapi | <= 0.3 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082072.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082297.html
- http://lwn.net/Alerts/449415/
- http://secunia.com/advisories/45075Vendor Advisory
- http://secunia.com/advisories/50785
- http://secunia.com/advisories/50973
- http://www.citi.umich.edu/projects/nfsv4/linux/libgssglue/libgssglue-0.4.tar.gzPatch
- http://www.openwall.com/lists/oss-security/2011/07/21/3
- http://www.openwall.com/lists/oss-security/2011/07/22/4
- http://www.openwall.com/lists/oss-security/2011/08/12/10
- http://www.securityfocus.com/bid/48490
- https://bugzilla.novell.com/show_bug.cgi?id=694598
- http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082072.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082297.html
- http://lwn.net/Alerts/449415/
FAQ
What is CVE-2011-2709?
CVE-2011-2709 is a vulnerability with a CVSS score of 6.2 (MEDIUM). libgssapi and libgssglue before 0.4 do not properly check privileges, which allows local users to load untrusted configuration files and execute arbitrary code via the GSSAPI_MECH_CONF environment var...
How severe is CVE-2011-2709?
CVE-2011-2709 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-2709?
Check the references section above for vendor advisories and patch information. Affected products include: Umich Libgssglue, Umich Libgssapi.