It was reported [1],[2] that the fusermount tool was vulnerable to a race condition between mounting a user filesystem and updating mtab using the standard mount command. If a user were able to win the race, the real mount entry and the mtab entry would differ, making the fuse-mounted filesystem not unmountable by an unprivileged user. Crafted mtab entries can then be used to trick fusermount into believing that a certain part of the filesystem is a user-space filesystem, and will unmount what should be a privileged filesystem (as demonstrated by unmounting /proc). According to the SUSE bug report [3], this would affect fuse versions before 2.8.2 or util-linux before 2.17, and notes the following commits that correct the problem: Relevant fuse commits: 4c3d9b1957 "Use '--no-canonicalize' option of mount(8)..." 0197ce4041 "Using --no-canonicalize with umount(8) conflicts with..." and util-linux commits: 45fc569a75 "mount: add --no-canonicalize option" be9adec40f "mount: disable --no-canonicalize for non-root users" [1] http://www.halfdog.net/Security/FuseTimerace/ [2] http://seclists.org/fulldisclosure/2010/Nov/15 [3] https://bugzilla.novell.com/show_bug.cgi?id=651598
It seems we have patched ebuilds in the tree, but if this is indeed an A3-rated vulnerability, we should issue a GLSA.
(In reply to comment #1) > It seems we have patched ebuilds in the tree, but if this is indeed an A3-rated > vulnerability, we should issue a GLSA. > It looks like we have rated sys-fs/fuse as "marginal software" previously, so I am rerating B3, which requires a GLSA Vote. GLSA Vote: no.
stable util-linux is 2.17.2, I think this might not relevant for us anyways. Vote: no, closing noglsa.
