Bug 651598 - VUL-1: fuse umount race
VUL-1: fuse umount race
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:39128 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-05 06:56 UTC by Ludwig Nussel
Modified: 2011-03-31 13:05 UTC (History)
4 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
fuse fix (2.99 KB, patch)
2010-11-12 13:38 UTC, Miklos Szeredi
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2010-11-05 06:56:21 UTC
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

------------------------------------------------------------------------------
Date: Thu, 04 Nov 2010 15:45:33 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Subject: [oss-security] CVE request: fuse

Hello,

There is an issue with FUSE that lets unprivileged users unmount
arbitrary locations via a symlink attack. This is a different issue than
CVE-2009-3297 and CVE-2010-0789.

Ref.:

http://seclists.org/fulldisclosure/2010/Nov/15
http://www.halfdog.net/Security/FuseTimerace/

Thanks,

Marc.


-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/
Comment 1 Miklos Szeredi 2010-11-05 12:00:10 UTC
Affected distributions with fuse < 2.8.2 *OR* util-linux < 2.17.  This means everything except 11.3 and Factory:

11.1
11.2
sle10-sp3
sle11
sle11-moblin20
sle11-sp1

Relevant fuse commits:

  4c3d9b1957 "Use '--no-canonicalize' option of mount(8)..."
  0197ce4041 "Using --no-canonicalize with umount(8) conflicts with..."

and util-linux commits:

  45fc569a75 "mount: add --no-canonicalize option" 
  be9adec40f "mount: disable --no-canonicalize for non-root users"
Comment 2 Thomas Biege 2010-11-09 10:22:36 UTC
P5->P4 mass change
Comment 3 Miklos Szeredi 2010-11-12 13:38:54 UTC
Created attachment 399921 [details]
fuse fix

Looking deeper, the above is not entirely correct.  Fuse versions 2.7.* and 2.8.* are all affected.  The fix needs "--no-canonicalize" and "--fake" options in umount(8), which is present in util-linux-ng >= 2.18.

The following commits need backporting to earlier versions of util-linux-ng:

  45fc569a75 mount: add --no-canonicalize option
  be9adec40f mount: disable --no-canonicalize for non-root users
  387ade2a24 umount: add --no-canonicalize
  97a3cef4f1 umount: add --fake option to umount(8)
  1cf4c20b19 mount: don't canonicalize "spec" with --no-canonicalize option
Comment 4 Miklos Szeredi 2010-11-12 13:45:06 UTC
And a similar race exists during mount, so --no-canonicalize is needed in mount(8) too (covered by the commits listed above).

Fuse versions <2.8.2 need to have these commits backported:

  4c3d9b1957 "Use '--no-canonicalize' option of mount(8)..."
  0197ce4041 "Using --no-canonicalize with umount(8) conflicts with..."
Comment 7 Miklos Szeredi 2010-12-03 12:37:34 UTC
Updated "util-linux" and "fuse" packages have been submitted to the following projects:

SUSE:SLE-10-SP3:Update:Test
SUSE:SLE-10-SP4:Update:Test
SUSE:SLE-11:Update:Test
SUSE:SLE-11-SP1:Update:Test
SUSE:Factory:Head
openSUSE:11.2:Update:Test
openSUSE:11.3:Update:Test

In all 14 submitrequests.

Reassigning to security team for further processing.
Comment 8 Thomas Biege 2010-12-03 15:26:28 UTC
Thanks a lot. (Note: It is still filed as "planned update" and will therefore be released later.)

CVE-2010-3879: CVSS v2 Base Score: 3.6 (moderate) (AV:L/AC:L/Au:N/C:N/I:P/A:P): unknown (unknown)
Comment 9 Dirk Mueller 2010-12-08 14:13:59 UTC
submitting it for SLE10 SP4
Comment 10 Swamp Workflow Management 2010-12-22 14:52:50 UTC
The SWAMPID for this issue is 37926.
This issue was rated as low.
Please submit fixed packages until 2011-01-19.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 11 Ludwig Nussel 2010-12-22 14:57:02 UTC
there is a conflicting util-linux submission on sle11sp1 from Petr (sr#9153). Could you please merge and resubmit?
Comment 12 Miklos Szeredi 2010-12-22 16:13:40 UTC
(In reply to comment #11)
> there is a conflicting util-linux submission on sle11sp1 from Petr (sr#9153).
> Could you please merge and resubmit?

submitted a merged request: sr#9881.
Comment 15 Miklos Szeredi 2011-02-02 09:21:20 UTC
Please wait with releasing an update until fixes are submitted for the new issue reported in bug 668820.
Comment 16 Thomas Biege 2011-02-03 14:49:13 UTC
And let's also include bnc#667215 from the "planned update" list please.
Comment 17 Swamp Workflow Management 2011-03-30 12:11:29 UTC
Update released for: fuse, fuse-debuginfo, fuse-debugsource, fuse-devel, libblkid-devel, libblkid-devel-32bit, libblkid1, libblkid1-32bit, libblkid1-x86, libfuse2, libuuid-devel, libuuid-devel-32bit, libuuid1, libuuid1-32bit, libuuid1-x86, util-linux, util-linux-debuginfo, util-linux-debugsource, util-linux-lang, uuid-runtime
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 18 Swamp Workflow Management 2011-03-31 08:22:18 UTC
Update released for: fuse, fuse-debuginfo, fuse-debugsource, fuse-devel, fuse-devel-static, libblkid-devel, libblkid1, libblkid1-debuginfo, libfuse2, libfuse2-debuginfo, libuuid-devel, libuuid1, libuuid1-debuginfo, util-linux, util-linux-debuginfo, util-linux-debugsource, util-linux-lang, uuidd, uuidd-debuginfo
Products:
openSUSE 11.2 (debug, i586, x86_64)
Comment 19 Swamp Workflow Management 2011-03-31 08:22:49 UTC
Update released for: fuse, fuse-debuginfo, fuse-debugsource, fuse-devel, fuse-devel-static, libblkid-devel, libblkid1, libblkid1-debuginfo, libfuse2, libfuse2-debuginfo, libuuid-devel, libuuid1, libuuid1-debuginfo, util-linux, util-linux-debuginfo, util-linux-debugsource, util-linux-lang, uuidd, uuidd-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
Comment 20 Ludwig Nussel 2011-03-31 08:28:44 UTC
released
Comment 21 Swamp Workflow Management 2011-03-31 12:06:22 UTC
Update released for: fuse, fuse-debuginfo, fuse-devel, libfuse2, util-linux, util-linux-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-DESKTOP 10-SP3 (i386, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Comment 22 Swamp Workflow Management 2011-03-31 13:02:06 UTC
Update released for: fuse, fuse-debuginfo, fuse-devel, libfuse2
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)