CVE-2018-10906 (https://nvd.nist.gov/vuln/detail/CVE-2018-10906): In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects.
Upstream patch: https://github.com/libfuse/libfuse/pull/268
Last vulnerable 2.x ebuild was removed June 2019: commit 013f53985fa39e994910490ac88cb73d5f777695 Author: Tim Harder <radhermit@gentoo.org> Date: Sat Jun 15 23:06:23 2019 -0500 sys-fs/fuse: remove old Signed-off-by: Tim Harder <radhermit@gentoo.org> delete mode 100644 sys-fs/fuse/fuse-2.9.7.ebuild delete mode 100644 sys-fs/fuse/fuse-3.4.1.ebuild delete mode 100644 sys-fs/fuse/fuse-3.4.2.ebuild Last vulnerable 3.x ebuild was removed December 2018: commit 2a623ce4a5c3ba77551661069d1a64be98d3b457 Author: Tim Harder <radhermit@gentoo.org> Date: Tue Dec 11 22:06:46 2018 -0600 sys-fs/fuse: remove old Signed-off-by: Tim Harder <radhermit@gentoo.org> delete mode 100644 sys-fs/fuse/fuse-2.9.7-r1.ebuild delete mode 100644 sys-fs/fuse/fuse-3.2.1.ebuild delete mode 100644 sys-fs/fuse/fuse-3.2.2.ebuild delete mode 100644 sys-fs/fuse/fuse-3.2.3.ebuild
GLSA vote: no. Closing.
