CVE-2007-5191 — loop-aes-utils - privilege escalation

Description

mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs.

How to fix CVE-2007-5191

To remediate CVE-2007-5191, upgrade the affected package to a fixed version below.

Debian/loop-aes-utils—upgrade to 2.12r-15+etch1 or later
Debian/loop-aes-utils—upgrade to 2.12r-16+lenny1 or later
Debian/util-linux—upgrade to 2.13-8 or later
—upgrade to 2.12r-19etch1 or later
—upgrade to 2.12r-19+lenny1 or later

Is CVE-2007-5191 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

from 0, < 2.12r-15+etch1
from 0, < 2.12r-16+lenny1
from 0, < 2.13-8
from 0, < 2.12r-19etch1
from 0, < 2.12r-19+lenny1

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2007-5191