Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 664334 (CVE-2018-10906)

Summary: <sys-fs/fuse-{2.9.8,3.2.6}: bypass of the "user_allow_other" restriction when SELinux is active (CVE-2018-10906)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, base-system, bman, radhermit
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceforge.net/p/fuse/mailman/message/36374753/
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 23:41:10 UTC 
CVE-2018-10906 (https://nvd.nist.gov/vuln/detail/CVE-2018-10906):
  In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable
  to a restriction bypass when SELinux is active. This allows non-root users
  to mount a FUSE file system with the 'allow_other' mount option regardless
  of whether 'user_allow_other' is set in the fuse configuration. An attacker
  may use this flaw to mount a FUSE file system, accessible by other users,
  and trick them into accessing files on that file system, possibly causing
  Denial of Service or other unspecified effects.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-22 23:42:14 UTC 
Upstream patch: https://github.com/libfuse/libfuse/pull/268
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-28 07:07:26 UTC 
Last vulnerable 2.x ebuild was removed June 2019:

commit 013f53985fa39e994910490ac88cb73d5f777695
Author: Tim Harder <radhermit@gentoo.org>
Date:   Sat Jun 15 23:06:23 2019 -0500

    sys-fs/fuse: remove old

    Signed-off-by: Tim Harder <radhermit@gentoo.org>

 delete mode 100644 sys-fs/fuse/fuse-2.9.7.ebuild
 delete mode 100644 sys-fs/fuse/fuse-3.4.1.ebuild
 delete mode 100644 sys-fs/fuse/fuse-3.4.2.ebuild


Last vulnerable 3.x ebuild was removed December 2018:

commit 2a623ce4a5c3ba77551661069d1a64be98d3b457
Author: Tim Harder <radhermit@gentoo.org>
Date:   Tue Dec 11 22:06:46 2018 -0600

    sys-fs/fuse: remove old

    Signed-off-by: Tim Harder <radhermit@gentoo.org>

 delete mode 100644 sys-fs/fuse/fuse-2.9.7-r1.ebuild
 delete mode 100644 sys-fs/fuse/fuse-3.2.1.ebuild
 delete mode 100644 sys-fs/fuse/fuse-3.2.2.ebuild
 delete mode 100644 sys-fs/fuse/fuse-3.2.3.ebuild
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-06 00:18:09 UTC 
GLSA vote: no. Closing.