Bug 668820

Summary: VUL-0: more fuse umount race fixes
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: GeneralAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mszeredi, regis, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp1:39128 maint:released:11.3:39501 maint:released:sle10-sp3:39131 maint:released:sle10-sp4:39368 CVSSv2:NVD:CVE-2011-0541:3.3:(AV:L/AC:M/Au:N/C:N/I:P/A:P) CVSSv2:RedHat:CVE-2011-0541:2.6:(AV:L/AC:H/Au:N/C:N/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 685055    

Description Ludwig Nussel 2011-02-02 08:16:46 UTC
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

------------------------------------------------------------------------------
Date: Tue, 01 Feb 2011 23:12:22 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Subject: [oss-security] CVE request: fuse

Hello,

A few more fixes have made their way to FUSE to prevent TOCTTOU symlink
attacks. An unprivileged user was able to unmount arbitrary mounts:

http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f
http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873
http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47

Could we please get one or more CVE numbers for them?

Thanks,

Marc.


-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/
Comment 1 Miklos Szeredi 2011-02-02 09:17:12 UTC
(In reply to comment #0)
> A few more fixes have made their way to FUSE to prevent TOCTTOU symlink
> attacks. An unprivileged user was able to unmount arbitrary mounts:
> 
> http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f

This a new issue, yes.

> http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873

This is not a security fix, AFAICS.

> http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47

And this CVE-2010-3879 (bug 651598)
Comment 2 Ludwig Nussel 2011-02-02 09:35:24 UTC
(In reply to comment #1)
> > http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47
> 
> And this CVE-2010-3879 (bug 651598)

This moves and removes code. Is this required to actually fix CVE-2010-3879 or is it just cleanup?
Comment 3 Miklos Szeredi 2011-02-02 09:46:10 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > > http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47
> > 
> > And this CVE-2010-3879 (bug 651598)
> 
> This moves and removes code. Is this required to actually fix CVE-2010-3879 or
> is it just cleanup?

This is a fix for HEAD that already had a broken fix for CVE-2010-3879.

But the packages submitted for bug 651598 are not based on HEAD, it's an independent patch and should be OK.
Comment 4 Thomas Biege 2011-02-04 09:40:14 UTC
http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f

Fuse tries to mount a directory without resolving symlinks, and then
tries to update mtab. If it couldn't update mtab, it would unmount the
directory while resolving symlinks this time, resulting in a different
directory being unmounted.

http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873

This prevents local users from changing the location of the current
directory from under fuse using a timing attack.

http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47

Fuse uses the --no-canonicalize mount option to prevent a symlink attack
on the mount point written to mtab. For backwards compatibility reasons,
it would fallback to using mount in an insecure way. This fallback could
get triggered by a user when an entry already existed in mtab.


All three of these issues allowed local users to trick fuse into
unmounting arbitrary directories.
Comment 5 Thomas Biege 2011-02-04 10:34:50 UTC
p5->p3 mass change
Comment 6 Miklos Szeredi 2011-02-04 13:35:15 UTC
> http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873
> 
> This prevents local users from changing the location of the current
> directory from under fuse using a timing attack.

Not sure what you mean?  The location of the CWD should be irrelevant at that point.  I looked at a strace now, and "mount --no-canonicalize ..." indeed ignores the CWD completely.  Doing that chdir("/") is for defensive reasons, not because there was any specific problem with not doing it.
Comment 7 Thomas Biege 2011-02-08 13:32:12 UTC
(In reply to comment #6)
> > http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873
> > 
> > This prevents local users from changing the location of the current
> > directory from under fuse using a timing attack.
> 
> Not sure what you mean?  The location of the CWD should be irrelevant at that
> point.  I looked at a strace now, and "mount --no-canonicalize ..." indeed
> ignores the CWD completely.  Doing that chdir("/") is for defensive reasons,
> not because there was any specific problem with not doing it.

I am sorry for causing confusion. This was not my statement, just a copy-and-paste for the oss-security ML.
Comment 8 Thomas Biege 2011-02-09 06:44:09 UTC
Re: [oss-security] CVE request: fuse
 Von: Josh Bressers <bressers@redhat.com>
 An: oss-security@lists.openwall.com
 Kopie: coley <coley@mitre.org>
 
Sorry for the dealy, some other things popped up :(

I'm going to assign 3 IDs. These look like they maybe could be combined,
but I'd rather not try to just to have a big split later on when we find
out various versions are affected in different ways.

> 
> http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f
> 
> Fuse tries to mount a directory without resolving symlinks, and then
> tries to update mtab. If it couldn't update mtab, it would unmount the
> directory while resolving symlinks this time, resulting in a different
> directory being unmounted.

Use CVE-2011-0541


> 
> http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873
> 
> This prevents local users from changing the location of the current
> directory from under fuse using a timing attack.

Use CVE-2011-0542


> 
> http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47
> 
> Fuse uses the --no-canonicalize mount option to prevent a symlink attack
> on the mount point written to mtab. For backwards compatibility reasons,
> it would fallback to using mount in an insecure way. This fallback could
> get triggered by a user when an entry already existed in mtab.
> 

Use CVE-2011-0543

Thanks.

-- 
    JB
Comment 9 Miklos Szeredi 2011-02-21 19:16:06 UTC
Submitted fixes for CVE-2011-0541:

SUSE:SLE-11-SP1:Update:Test (sr#10796)
SUSE:SLE-10-SP3:Update:Test (sr#10797)
openSUSE:11.3:Update:Test (sr#62399)
openSUSE:11.2:Update:Test (sr#62400)
openSUSE:Factory (sr#62403)

CVE-2011-0543 is already fixed in the current repository under the designation of bnc#651598.

As for CVE-2011-0542, I don't see that it's a security issue.
Comment 10 Miklos Szeredi 2011-02-22 07:58:28 UTC
Reassigning to security team.
Comment 11 Thomas Biege 2011-02-22 13:44:15 UTC
Hello Miklos,
your patch fuse-fix-cleanup-in-case-of-failed-mount.patch seems to be different from the upstream patches. It just removes umount which makes "problematic" mounts unremovable. Is this intended?
Comment 12 Miklos Szeredi 2011-02-22 13:57:50 UTC
Hello Thomas,

Yes it's intended.  After more thoroughly testing the upstream patch, it turns out that it didn't work as intended, failing the umount() with -EINVAL.

I thought about it long and hard, and concluded that there's no sane solution to this, so I'm going with the simple fix of just removing the problematic umount() call.
Comment 13 Swamp Workflow Management 2011-03-30 12:11:48 UTC
Update released for: fuse, fuse-debuginfo, fuse-debugsource, fuse-devel, libblkid-devel, libblkid-devel-32bit, libblkid1, libblkid1-32bit, libblkid1-x86, libfuse2, libuuid-devel, libuuid-devel-32bit, libuuid1, libuuid1-32bit, libuuid1-x86, util-linux, util-linux-debuginfo, util-linux-debugsource, util-linux-lang, uuid-runtime
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 14 Swamp Workflow Management 2011-03-31 08:22:15 UTC
Update released for: fuse, fuse-debuginfo, fuse-debugsource, fuse-devel, fuse-devel-static, libblkid-devel, libblkid1, libblkid1-debuginfo, libfuse2, libfuse2-debuginfo, libuuid-devel, libuuid1, libuuid1-debuginfo, util-linux, util-linux-debuginfo, util-linux-debugsource, util-linux-lang, uuidd, uuidd-debuginfo
Products:
openSUSE 11.2 (debug, i586, x86_64)
Comment 15 Swamp Workflow Management 2011-03-31 08:22:50 UTC
Update released for: fuse, fuse-debuginfo, fuse-debugsource, fuse-devel, fuse-devel-static, libblkid-devel, libblkid1, libblkid1-debuginfo, libfuse2, libfuse2-debuginfo, libuuid-devel, libuuid1, libuuid1-debuginfo, util-linux, util-linux-debuginfo, util-linux-debugsource, util-linux-lang, uuidd, uuidd-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
Comment 16 Ludwig Nussel 2011-03-31 08:28:49 UTC
released
Comment 17 Swamp Workflow Management 2011-03-31 12:06:30 UTC
Update released for: fuse, fuse-debuginfo, fuse-devel, libfuse2, util-linux, util-linux-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-DESKTOP 10-SP3 (i386, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Comment 18 Swamp Workflow Management 2011-03-31 13:02:09 UTC
Update released for: fuse, fuse-debuginfo, fuse-devel, libfuse2
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 19 Leonardo Chiquitto 2011-04-05 21:20:29 UTC
*** Bug 685055 has been marked as a duplicate of this bug. ***
Comment 20 Leonardo Chiquitto 2011-05-24 21:34:26 UTC
*** Bug 685055 has been marked as a duplicate of this bug. ***