Re: CVE request: fuse

[Marc Deslauriers <marc.deslauriers () canonical com>]

On Thu, 2011-02-03 at 11:17 -0500, Josh Bressers wrote:
> ----- Original Message -----
> > A few more fixes have made their way to FUSE to prevent TOCTTOU symlink
> > attacks. An unprivileged user was able to unmount arbitrary mounts:
> >
> > http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f
> > http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873
> > http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47
> >
> > Could we please get one or more CVE numbers for them?
>
> I don't understand what these flaws are just by reading the commit
> messages. Can you explain them?
>
> Thanks.

Sure!

http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f

Fuse tries to mount a directory without resolving symlinks, and then
tries to update mtab. If it couldn't update mtab, it would unmount the
directory while resolving symlinks this time, resulting in a different
directory being unmounted.

http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873

This prevents local users from changing the location of the current
directory from under fuse using a timing attack.

http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47

Fuse uses the --no-canonicalize mount option to prevent a symlink attack
on the mount point written to mtab. For backwards compatibility reasons,
it would fallback to using mount in an insecure way. This fallback could
get triggered by a user when an entry already existed in mtab.


All three of these issues allowed local users to trick fuse into
unmounting arbitrary directories.

Marc.