pam_mount 0.10 through 0.45, when luserconf is enabled, does not verify mountpoint and source ownership before mounting a user-defined volume, which allows local users to bypass intended access restrictions via a local mount. The updated packages have been patched to fix the issue. Update: The fix for CVE-2008-3970 uncovered crashes in the code handling the "allow", "deny", and "require" options in pam_mount-0.33, released for Mandriva Linux 2008 Spring. Also, the verification of the allowed mount options was inverted in pam_mount-0.33. This update fixes these issues.