USN-2579-1: autofs vulnerability

27 April 2015

autofs vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.10

Summary

autofs could be made to run programs as an administrator if program maps were configured.

Software Description

  • autofs - kernel-based automounter for Linux

Details

It was discovered that autofs incorrectly filtered environment variables when using program maps. When program maps were configured, a local user could use this issue to escalate privileges.

This update changes the default behaviour by adding a prefix to environment variables. Sites using program maps will need to adapt to the new variable names, or revert to the previous names by using a new configuration option called FORCE_STANDARD_PROGRAM_MAP_ENV.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.10
autofs - 5.0.8-1ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References