Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 664334 (CVE-2018-10906) - <sys-fs/fuse-{2.9.8,3.2.6}: bypass of the "user_allow_other" restriction when SELinux is active (CVE-2018-10906)
Summary: <sys-fs/fuse-{2.9.8,3.2.6}: bypass of the "user_allow_other" restriction when...
Status: RESOLVED FIXED
Alias: CVE-2018-10906
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://sourceforge.net/p/fuse/mailma...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-22 23:41 UTC by GLSAMaker/CVETool Bot
Modified: 2021-07-06 00:18 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 23:41:10 UTC
CVE-2018-10906 (https://nvd.nist.gov/vuln/detail/CVE-2018-10906):
  In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable
  to a restriction bypass when SELinux is active. This allows non-root users
  to mount a FUSE file system with the 'allow_other' mount option regardless
  of whether 'user_allow_other' is set in the fuse configuration. An attacker
  may use this flaw to mount a FUSE file system, accessible by other users,
  and trick them into accessing files on that file system, possibly causing
  Denial of Service or other unspecified effects.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-22 23:42:14 UTC
Upstream patch: https://github.com/libfuse/libfuse/pull/268
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-28 07:07:26 UTC
Last vulnerable 2.x ebuild was removed June 2019:

commit 013f53985fa39e994910490ac88cb73d5f777695
Author: Tim Harder <radhermit@gentoo.org>
Date:   Sat Jun 15 23:06:23 2019 -0500

    sys-fs/fuse: remove old

    Signed-off-by: Tim Harder <radhermit@gentoo.org>

 delete mode 100644 sys-fs/fuse/fuse-2.9.7.ebuild
 delete mode 100644 sys-fs/fuse/fuse-3.4.1.ebuild
 delete mode 100644 sys-fs/fuse/fuse-3.4.2.ebuild


Last vulnerable 3.x ebuild was removed December 2018:

commit 2a623ce4a5c3ba77551661069d1a64be98d3b457
Author: Tim Harder <radhermit@gentoo.org>
Date:   Tue Dec 11 22:06:46 2018 -0600

    sys-fs/fuse: remove old

    Signed-off-by: Tim Harder <radhermit@gentoo.org>

 delete mode 100644 sys-fs/fuse/fuse-2.9.7-r1.ebuild
 delete mode 100644 sys-fs/fuse/fuse-3.2.1.ebuild
 delete mode 100644 sys-fs/fuse/fuse-3.2.2.ebuild
 delete mode 100644 sys-fs/fuse/fuse-3.2.3.ebuild
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-06 00:18:09 UTC
GLSA vote: no. Closing.