Bugzilla – Bug 651598
VUL-1: fuse umount race
Last modified: 2011-03-31 13:05:46 UTC
Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. ------------------------------------------------------------------------------ Date: Thu, 04 Nov 2010 15:45:33 -0400 From: Marc Deslauriers <marc.deslauriers@canonical.com> Subject: [oss-security] CVE request: fuse Hello, There is an issue with FUSE that lets unprivileged users unmount arbitrary locations via a symlink attack. This is a different issue than CVE-2009-3297 and CVE-2010-0789. Ref.: http://seclists.org/fulldisclosure/2010/Nov/15 http://www.halfdog.net/Security/FuseTimerace/ Thanks, Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Affected distributions with fuse < 2.8.2 *OR* util-linux < 2.17. This means everything except 11.3 and Factory: 11.1 11.2 sle10-sp3 sle11 sle11-moblin20 sle11-sp1 Relevant fuse commits: 4c3d9b1957 "Use '--no-canonicalize' option of mount(8)..." 0197ce4041 "Using --no-canonicalize with umount(8) conflicts with..." and util-linux commits: 45fc569a75 "mount: add --no-canonicalize option" be9adec40f "mount: disable --no-canonicalize for non-root users"
P5->P4 mass change
Created attachment 399921 [details] fuse fix Looking deeper, the above is not entirely correct. Fuse versions 2.7.* and 2.8.* are all affected. The fix needs "--no-canonicalize" and "--fake" options in umount(8), which is present in util-linux-ng >= 2.18. The following commits need backporting to earlier versions of util-linux-ng: 45fc569a75 mount: add --no-canonicalize option be9adec40f mount: disable --no-canonicalize for non-root users 387ade2a24 umount: add --no-canonicalize 97a3cef4f1 umount: add --fake option to umount(8) 1cf4c20b19 mount: don't canonicalize "spec" with --no-canonicalize option
And a similar race exists during mount, so --no-canonicalize is needed in mount(8) too (covered by the commits listed above). Fuse versions <2.8.2 need to have these commits backported: 4c3d9b1957 "Use '--no-canonicalize' option of mount(8)..." 0197ce4041 "Using --no-canonicalize with umount(8) conflicts with..."
Updated "util-linux" and "fuse" packages have been submitted to the following projects: SUSE:SLE-10-SP3:Update:Test SUSE:SLE-10-SP4:Update:Test SUSE:SLE-11:Update:Test SUSE:SLE-11-SP1:Update:Test SUSE:Factory:Head openSUSE:11.2:Update:Test openSUSE:11.3:Update:Test In all 14 submitrequests. Reassigning to security team for further processing.
Thanks a lot. (Note: It is still filed as "planned update" and will therefore be released later.) CVE-2010-3879: CVSS v2 Base Score: 3.6 (moderate) (AV:L/AC:L/Au:N/C:N/I:P/A:P): unknown (unknown)
submitting it for SLE10 SP4
The SWAMPID for this issue is 37926. This issue was rated as low. Please submit fixed packages until 2011-01-19. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
there is a conflicting util-linux submission on sle11sp1 from Petr (sr#9153). Could you please merge and resubmit?
(In reply to comment #11) > there is a conflicting util-linux submission on sle11sp1 from Petr (sr#9153). > Could you please merge and resubmit? submitted a merged request: sr#9881.
Please wait with releasing an update until fixes are submitted for the new issue reported in bug 668820.
And let's also include bnc#667215 from the "planned update" list please.
Update released for: fuse, fuse-debuginfo, fuse-debugsource, fuse-devel, libblkid-devel, libblkid-devel-32bit, libblkid1, libblkid1-32bit, libblkid1-x86, libfuse2, libuuid-devel, libuuid-devel-32bit, libuuid1, libuuid1-32bit, libuuid1-x86, util-linux, util-linux-debuginfo, util-linux-debugsource, util-linux-lang, uuid-runtime Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: fuse, fuse-debuginfo, fuse-debugsource, fuse-devel, fuse-devel-static, libblkid-devel, libblkid1, libblkid1-debuginfo, libfuse2, libfuse2-debuginfo, libuuid-devel, libuuid1, libuuid1-debuginfo, util-linux, util-linux-debuginfo, util-linux-debugsource, util-linux-lang, uuidd, uuidd-debuginfo Products: openSUSE 11.2 (debug, i586, x86_64)
Update released for: fuse, fuse-debuginfo, fuse-debugsource, fuse-devel, fuse-devel-static, libblkid-devel, libblkid1, libblkid1-debuginfo, libfuse2, libfuse2-debuginfo, libuuid-devel, libuuid1, libuuid1-debuginfo, util-linux, util-linux-debuginfo, util-linux-debugsource, util-linux-lang, uuidd, uuidd-debuginfo Products: openSUSE 11.3 (debug, i586, x86_64)
released
Update released for: fuse, fuse-debuginfo, fuse-devel, libfuse2, util-linux, util-linux-debuginfo Products: SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP3 (i386, x86_64) SLE-SAP-APL 10-SP3 (x86_64) SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Update released for: fuse, fuse-debuginfo, fuse-devel, libfuse2 Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)