Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 112902

Summary: sys-fs/fuse: fusermount can corrupt /etc/mtab (CVE-2005-3531)
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: genstef
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cvs.sourceforge.net/viewcvs.py/fuse/fuse/util/fusermount.c?r1=1.69&r2=1.70
Whiteboard: B2? [glsa] koon
Package list:
Runtime testing required: ---
Attachments:
Description Flags
fusermount.patch none

Description Thierry Carrez (RETIRED) gentoo-dev 2005-11-18 04:55:55 UTC
Thomas Biege discovered that fusermount can be abused to corrupt the /etc/mtab.
He thinks it can be used to set mount options for the fuse FS. This only works
if fusermount is setuid root (default on Gentoo) :

-rwsr-xr-x  1 root root 18820 Nov 18 13:47 fusermount

Miklos Szeredi <miklos@szeredi.hu> is preparing a patch, waiting for the
disclosure date.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-11-19 03:32:17 UTC
Created attachment 73173 [details, diff]
fusermount.patch

Patch from Miklos.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-11-19 03:33:43 UTC
Ccing maintainer. 
genstef: please prepare a new ebuild but do not commit anything to Portage yet.
We are waiting for an embargo end date.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-19 13:17:49 UTC
Fix committed to upstream CVS. Please provide and commit an updated ebuild. 
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-19 14:20:11 UTC
genstef, just note the bug # in the Changelog for now and nothing else.  
Comment 5 Stefan Schweizer (RETIRED) gentoo-dev 2005-11-19 15:24:26 UTC
I committed an updated ebuild, 2.4.1-r1

I hope it is ok, that I revbumped it
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-19 23:49:01 UTC
Thx Stefan. 
 
Arch security liaisons, please test and mark stable. Don't do any verbose  
Changelogs at this time, it's still not completely public. 
  
Calling:  
ppc -> hansmi  
amd64 -> blubb  
x86 -> halcy0n  
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-11-20 02:21:38 UTC
Marked stable on ppc.
Comment 8 Simon Stelling (RETIRED) gentoo-dev 2005-11-20 11:03:05 UTC
sir, amd64 stable, sir.
Comment 9 Mark Loeser (RETIRED) gentoo-dev 2005-11-20 11:30:46 UTC
x86 done
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-20 13:02:07 UTC
Waiting for public disclsure. 
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-11-22 08:58:27 UTC
GLSA 200511-17