Executive Summary

Summary
Title util-linux-ng security, bug fix and enhancement update
Informations
Name RHSA-2013:0517 First vendor Publication 2013-02-21
Vendor RedHat Last vendor Modification 2013-02-21
Severity (Vendor) Low Revision 02

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 2.1 Attack Range Local
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated util-linux-ng packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

3. Description:

The util-linux-ng packages contain a large variety of low-level system utilities that are necessary for a Linux operating system to function.

An information disclosure flaw was found in the way the mount command reported errors. A local attacker could use this flaw to determine the existence of files and directories they do not have access to. (CVE-2013-0157)

These updated util-linux-ng packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes.

All users of util-linux-ng are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.

4. Solution:

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

679833 - [RFE] tailf should support `-n 0` 783514 - Documentation for default barrier setting for EXT3 filesystems in mount manpage is wrong 790728 - blkid ignores swap UUIDs if the first byte is a zero byte 818621 - lsblk should not open device it prints info about 839281 - manpage: mount option inode_readahead for ext4 should be inode_readahead_blks 892330 - CVE-2013-0157 util-linux: mount folder existence information disclosure

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2013-0517.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:21076
 
Oval ID: oval:org.mitre.oval:def:21076
Title: RHSA-2013:0517: util-linux-ng security, bug fix and enhancement update (Low)
Description: (a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists.
Family: unix Class: patch
Reference(s): RHSA-2013:0517-02
CESA-2013:0517
CVE-2013-0157
 Version: 5
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
 Product(s): util-linux-ng
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23653
 
Oval ID: oval:org.mitre.oval:def:23653
Title: ELSA-2013:0517: util-linux-ng security, bug fix and enhancement update (Low)
Description: (a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists.
Family: unix Class: patch
Reference(s): ELSA-2013:0517-02
CVE-2013-0157
 Version: 6
Platform(s): Oracle Linux 6
 Product(s): util-linux-ng
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27272
 
Oval ID: oval:org.mitre.oval:def:27272
Title: DEPRECATED: ELSA-2013-0517 -- util-linux-ng security, bug fix and enhancement update (low)
Description: [2.17.2-12.9] - fix #892471 - CVE-2013-0157 mount folder existence information disclosure [2.17.2-12.8] - fix #679833 - [RFE] tailf should support - fix #719927 - [RFE] add adjtimex --compare functionality to hwclock - fix #730272 - losetup does not warn if backing file is < 512 bytes - fix #730891 - document cfdisk and sfdisk incompatibility with 4096-bytes sectors - fix #736245 - lscpu segfault on non-uniform cpu configuration - fix #783514 - default barrier setting for EXT3 filesystems in mount manpage is wrong - fix #790728 - blkid ignores swap UUIDs if the first byte is a zero byte - fix #818621 - lsblk should not open device it prints info about - fix #819945 - hwclock --systz causes a system time jump - fix #820183 - mount(8) man page should include relatime in defaults definition - fix #823008 - update to the latest upstream lscpu and chcpu - fix #837935 - lscpu coredumps on a system with 158 active processors - fix #839281 - inode_readahead for ext4 should be inode_readahead_blks - fix #845477 - Duplicate SElinux mount options cause mounting from the commandline to fail - fix #845971 - while reading /etc/fstab, mount command returns a device before a directory - fix #858009 - login doesn't update /var/run/utmp properly - fix #809449 - Backport inverse tree (-s) option for lsblk and related patches - fix #809139 - lsblk option -D missing in manpage
Family: unix Class: patch
Reference(s): ELSA-2013-0517
CVE-2013-0157
 Version: 4
Platform(s): Oracle Linux 6
 Product(s): util-linux-ng
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2

Nessus® Vulnerability Scanner

Date Description
2014-11-08 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2013-0579.nasl - Type : ACT_GATHER_INFO
2014-05-19 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201405-15.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-0517.nasl - Type : ACT_GATHER_INFO
2013-04-30 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-154.nasl - Type : ACT_GATHER_INFO
2013-03-10 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-0517.nasl - Type : ACT_GATHER_INFO
2013-03-05 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20130221_util_linux_ng_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2013-02-21 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-0517.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2014-02-17 11:56:52
  • Multiple Updates
2014-01-23 00:22:08
  • Multiple Updates
2014-01-21 21:25:05
  • Multiple Updates
2013-02-21 09:19:02
  • First insertion