oss-security February 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request: fuse

Re: [oss-security] CVE request: fuse

From: Josh Bressers <bressers_at_nospam>
Date: Tue Feb 08 2011 - 19:09:18 GMT
To: oss-security@lists.openwall.com

Sorry for the dealy, some other things popped up :(

I'm going to assign 3 IDs. These look like they maybe could be combined,
but I'd rather not try to just to have a big split later on when we find
out various versions are affected in different ways.

> http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f
> Fuse tries to mount a directory without resolving symlinks, and then
> tries to update mtab. If it couldn't update mtab, it would unmount the
> directory while resolving symlinks this time, resulting in a different
> directory being unmounted.

Use CVE-2011-0541

> http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873
> This prevents local users from changing the location of the current
> directory from under fuse using a timing attack.

Use CVE-2011-0542

> http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47
> Fuse uses the --no-canonicalize mount option to prevent a symlink attack
> on the mount point written to mtab. For backwards compatibility reasons,
> it would fallback to using mount in an insecure way. This fallback could
> get triggered by a user when an entry already existed in mtab.

Use CVE-2011-0543


-- JB