oss-sec mailing list archives
Re: CVE request: fuse
From: Josh Bressers <bressers () redhat com>
Date: Tue, 8 Feb 2011 14:09:18 -0500 (EST)
Sorry for the dealy, some other things popped up :( I'm going to assign 3 IDs. These look like they maybe could be combined, but I'd rather not try to just to have a big split later on when we find out various versions are affected in different ways.
http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f Fuse tries to mount a directory without resolving symlinks, and then tries to update mtab. If it couldn't update mtab, it would unmount the directory while resolving symlinks this time, resulting in a different directory being unmounted.
Use CVE-2011-0541
http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873 This prevents local users from changing the location of the current directory from under fuse using a timing attack.
Use CVE-2011-0542
http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47 Fuse uses the --no-canonicalize mount option to prevent a symlink attack on the mount point written to mtab. For backwards compatibility reasons, it would fallback to using mount in an insecure way. This fallback could get triggered by a user when an entry already existed in mtab.
Use CVE-2011-0543
Thanks.
--
JB
Current thread:
- CVE request: fuse Marc Deslauriers (Feb 01)
- Re: CVE request: fuse Josh Bressers (Feb 03)
- Re: CVE request: fuse Marc Deslauriers (Feb 03)
- Re: CVE request: fuse Josh Bressers (Feb 08)
- Re: CVE request: fuse Marc Deslauriers (Feb 03)
- Re: CVE request: fuse Josh Bressers (Feb 03)