112902 – sys-fs/fuse: fusermount can corrupt /etc/mtab (CVE-2005-3531)

Bug 112902 - sys-fs/fuse: fusermount can corrupt /etc/mtab (CVE-2005-3531)

Summary: sys-fs/fuse: fusermount can corrupt /etc/mtab (CVE-2005-3531)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://cvs.sourceforge.net/viewcvs.py...
Whiteboard:	B2? [glsa] koon
Keywords:

Depends on:
Blocks:

Reported:	2005-11-18 04:55 UTC by Thierry Carrez (RETIRED)
Modified:	2005-11-22 08:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
fusermount.patch (fusermount.patch,1.27 KB, patch) 2005-11-19 03:32 UTC, Thierry Carrez (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thierry Carrez (RETIRED) gentoo-dev

2005-11-18 04:55:55 UTC

Thomas Biege discovered that fusermount can be abused to corrupt the /etc/mtab.
He thinks it can be used to set mount options for the fuse FS. This only works
if fusermount is setuid root (default on Gentoo) :

-rwsr-xr-x  1 root root 18820 Nov 18 13:47 fusermount

Miklos Szeredi <miklos@szeredi.hu> is preparing a patch, waiting for the
disclosure date.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-11-19 03:32:17 UTC

Created attachment 73173 [details, diff]
fusermount.patch

Patch from Miklos.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-11-19 03:33:43 UTC

Ccing maintainer. 
genstef: please prepare a new ebuild but do not commit anything to Portage yet.
We are waiting for an embargo end date.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-19 13:17:49 UTC

Fix committed to upstream CVS. Please provide and commit an updated ebuild.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-19 14:20:11 UTC

genstef, just note the bug # in the Changelog for now and nothing else.

Comment 5 Stefan Schweizer (RETIRED) gentoo-dev

2005-11-19 15:24:26 UTC

I committed an updated ebuild, 2.4.1-r1

I hope it is ok, that I revbumped it

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-19 23:49:01 UTC

Thx Stefan. 
 
Arch security liaisons, please test and mark stable. Don't do any verbose  
Changelogs at this time, it's still not completely public. 
  
Calling:  
ppc -> hansmi  
amd64 -> blubb  
x86 -> halcy0n

Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-11-20 02:21:38 UTC

Marked stable on ppc.

Comment 8 Simon Stelling (RETIRED) gentoo-dev

2005-11-20 11:03:05 UTC

sir, amd64 stable, sir.

Comment 9 Mark Loeser (RETIRED) gentoo-dev

2005-11-20 11:30:46 UTC

x86 done

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-20 13:02:07 UTC

Waiting for public disclsure.

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2005-11-22 08:58:27 UTC

GLSA 200511-17