Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550152 (CVE-2015-3202) - <sys-fs/fuse-2.9.4: incorrect filtering of environment variables leading to privilege escalation (CVE-2015-3202)
Summary: <sys-fs/fuse-2.9.4: incorrect filtering of environment variables leading to p...
Status: RESOLVED FIXED
Alias: CVE-2015-3202
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-22 09:51 UTC by Agostino Sarubbo
Modified: 2017-02-04 11:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-22 09:51:20 UTC
From ${URL} :

It was foudn that FUSE, a Filesystem in USErspace, did not properly sanitize environment variables 
before executing a mount or umount operation with elevated privileges. A local attacker could use 
this flaw to overwrite arbitrary files on the system or escalate their privileges.

Additional details:

http://seclists.org/oss-sec/2015/q2/520

patch: https://bugzilla.redhat.com/attachment.cgi?id=1028606


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2015-06-01 19:07:41 UTC
Maintainers: version 2.9.4 is available and fixes the vulnerability.
Comment 2 Tim Harder gentoo-dev 2015-06-18 04:19:12 UTC
Arches please stabilize 2.9.4.
Comment 3 Agostino Sarubbo gentoo-dev 2015-06-18 08:37:45 UTC
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-20 05:59:14 UTC
Stable for HPPA.
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-20 18:49:26 UTC
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-21 06:47:42 UTC
Stable for PPC64.
Comment 7 Agostino Sarubbo gentoo-dev 2015-06-24 07:59:36 UTC
ppc stable
Comment 8 Markus Meier gentoo-dev 2015-06-28 08:38:53 UTC
arm stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-28 17:32:42 UTC
alpha stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-19 18:18:34 UTC
ia64 stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-07-19 20:25:15 UTC
CVE-2015-3202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3202):
  fusermount in FUSE before 2.9.3-15 does not properly clear the environment
  before invoking (1) mount or (2) umount as root, which allows local users to
  write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable
  that is used by mount's debugging feature.
Comment 12 Agostino Sarubbo gentoo-dev 2015-07-23 09:37:38 UTC
sparc stable
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-09-09 05:11:23 UTC
Since arm64 is not part of the stable arches, we will leave it for stabilization in due time but meanwhile we are going to go ahead with the GLSA.

New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-11-02 20:37:44 UTC
It has been 30 days+ since cleanup requested.
Maintainer(s), please drop the vulnerable version(s).
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-12-20 19:31:57 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 16 Tim Harder gentoo-dev 2016-01-16 18:14:05 UTC
(In reply to Yury German from comment #15)
> Maintainer(s), please drop the vulnerable version(s).

Done.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 08:24:13 UTC
Maintainer(s), Thank you for your work.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2016-03-09 18:05:51 UTC
This issue was resolved and addressed in
 GLSA 201603-04 at https://security.gentoo.org/glsa/201603-04
by GLSA coordinator Kristian Fiskerstrand (K_F).