CVE-2007-5191

Name of the Vulnerable Software and Affected Versions util-linux versions prior to 2.12r-r8 util-linux-2.11y util-linux-2.12a util-linux-2.13 mount-2.11y-31.24 losetup-2.11y-31.24 loop-aes-utils (affected versions not specified) bsdutils (affected versions not specified) mount (affected versions not specified) mount-aes-udeb (affected versions not specified) cfdisk-udeb (affected versions not specified) util-linux-locales (affected versions not specified) fdisk-udeb (affected versions not specified)

Description The issue concerns multiple vulnerabilities in various packages of Debian GNU/Linux and Red Hat Enterprise Linux operating systems. These vulnerabilities can lead to a breach of confidentiality, integrity, and availability of protected information. Exploitation can be carried out locally by an attacker. Technical details include the incorrect order of calling setuid and setgid functions in mount and umount, as well as the lack of return value checks, potentially allowing attackers to gain privileges via helpers like mount.nfs.

Recommendations For util-linux versions prior to 2.12r-r8, update to version 2.12r-r8 or later. For util-linux-2.11y, util-linux-2.12a, and util-linux-2.13, update to a version later than 2.13. For mount-2.11y-31.24 and losetup-2.11y-31.24, update to versions later than 2.11y-31.24. For loop-aes-utils, bsdutils, mount, mount-aes-udeb, cfdisk-udeb, util-linux-locales, and fdisk-udeb, update to the latest available versions. As a temporary workaround, consider restricting access to the mount and umount functions until a patch is available. Restrict the use of the setuid and setgid functions to minimize the risk of exploitation.