[Bug 670622] Re: fusermount allows unmount any filesystem
Launchpad has imported 25 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=651183. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2010-11-08T22:35:33+00:00 Vincent wrote: It was reported [1],[2] that the fusermount tool was vulnerable to a race condition between mounting a user filesystem and updating mtab using the standard mount command. If a user were able to win the race, the real mount entry and the mtab entry would differ, making the fuse- mounted filesystem not unmountable by an unprivileged user. Crafted mtab entries can then be used to trick fusermount into believing that a certain part of the filesystem is a user-space filesystem, and will unmount what should be a privileged filesystem (as demonstrated by unmounting /proc). According to the SUSE bug report [3], this would affect fuse versions before 2.8.2 or util-linux before 2.17, and notes the following commits that correct the problem: Relevant fuse commits: 4c3d9b1957 "Use '--no-canonicalize' option of mount(8)..." 0197ce4041 "Using --no-canonicalize with umount(8) conflicts with..." and util-linux commits: 45fc569a75 "mount: add --no-canonicalize option" be9adec40f "mount: disable --no-canonicalize for non-root users" [1] http://www.halfdog.net/Security/FuseTimerace/ [2] http://seclists.org/fulldisclosure/2010/Nov/15 [3] https://bugzilla.novell.com/show_bug.cgi?id=651598 Reply at: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/comments/3 On 2010-11-23T21:25:36+00:00 Vincent wrote: In addition to the --no-canonicalize option, the --fake option is also required in umount, which is present in 2.18: http://git.kernel.org/?p=utils/util-linux-ng/util-linux- ng.git;a=commitdiff;h=97a3cef4f1 Another relevant util-linux-ng commit is: http://git.kernel.org/?p=utils/util-linux-ng/util-linux- ng.git;a=commitdiff;h=1cf4c20b19 ("spec" still canonicalized) The above two would be required for util-linux-ng in RHEL6. All of the commits would be required for util-linux in RHEL5. Fedora 14 has the required util-linux-ng version, but needs the fuse fixes backported. SUSE has a patch to fuse to make it use --no- canonicalize and --fake which should fix the issue: https://bugzilla.novell.com/attachment.cgi?id=399921 Unfortunately, I've been using RHEL6 to test and with the above patches (to fuse and util-linux-ng) and the proof of concept still works. So I don't think these patches are sufficient to correct the problem, although I'm not sure what is missing. Tom, would have a chance to look at this and see if perhaps something is missing? FWIW, I cannot reproduce this on F14. Despite there being no group-restrictions on fuse (not sure why that's the case), I get the following error: sh Test.sh Using target call count 8 Move triggered at count 8 fusermount: user has no write access to mountpoint /proc fusermount: could not determine username (although sometimes that first fusermount error shows: fusermount: user has no write access to mountpoint /home/vdanen/tmp/CVE-2010-3879/tmp/proc which is the user-mounted directory). By contrast, fuse-2.8.5-2.fc13 and util-linux-ng-2.17.2-8.fc13 allow me to reproduce this on F13. The same fuse version is on both, but F14 has (a newer) util-linux-ng-2.18-4.5.fc14. Reply at: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/comments/7 On 2010-11-23T22:06:49+00:00 Vincent wrote: After rebuilding util-linux-ng-2.18-4.5 on Fedora 13, I am still able to reproduce the problem. Then I realized there was an issue with my F14 testing vm, so after rebooting it, I can indeed reproduce this on F14 (seems something was mucked with sssd which is why I was seeing those permissions errors). Reply at: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/comments/8 On 2010-11-23T22:38:27+00:00 Vincent wrote: Patched fuse on F14 and still reproduces (using the SUSE patch). So it's either not sufficient or something is still missing from util- linux-ng (on F14, the 1cf4c20b19 patch is missing; rebuilt with just that patch (on 2.18-4.5) and can still reproduce). So it looks like there is more required than any of these patches to resolve this. Reply at: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/comments/9 On 2011-01-21T22:29:19+00:00 Vincent wrote: This has stalled for quite a bit. Has any developer/owner of fuse been able to take a look into this to see what is going on? Reply at:
[Bug 670622] Re: fusermount allows unmount any filesystem
** Changed in: fuse (Debian) Status: New = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/670622 Title: fusermount allows unmount any filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 670622] Re: fusermount allows unmount any filesystem
** Changed in: fuse (Suse) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/670622 Title: fusermount allows unmount any filesystem -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 670622] Re: fusermount allows unmount any filesystem
** Changed in: fuse (Debian) Status: Unknown = New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/670622 Title: fusermount allows unmount any filesystem -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 670622] Re: fusermount allows unmount any filesystem
** Bug watch added: Debian Bug tracker #602333 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602333 ** Also affects: fuse (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602333 Importance: Unknown Status: Unknown ** Bug watch added: Red Hat Bugzilla #651183 https://bugzilla.redhat.com/show_bug.cgi?id=651183 ** Also affects: fuse (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=651183 Importance: Unknown Status: Unknown ** Bug watch added: Novell/SUSE Bugzilla #651598 https://bugzilla.novell.com/show_bug.cgi?id=651598 ** Also affects: fuse (Suse) via https://bugzilla.novell.com/show_bug.cgi?id=651598 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/670622 Title: fusermount allows unmount any filesystem -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 670622] Re: fusermount allows unmount any filesystem
** Branch linked: lp:ubuntu/fuse ** Branch linked: lp:ubuntu/util-linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/670622 Title: fusermount allows unmount any filesystem -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 670622] Re: fusermount allows unmount any filesystem
Launchpad has imported 11 comments from the remote bug at https://bugzilla.novell.com/show_bug.cgi?id=651598. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2010-11-05T06:56:21+00:00 Lnussel wrote: Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. -- Date: Thu, 04 Nov 2010 15:45:33 -0400 From: Marc Deslauriers marc.deslauri...@canonical.com Subject: [oss-security] CVE request: fuse Hello, There is an issue with FUSE that lets unprivileged users unmount arbitrary locations via a symlink attack. This is a different issue than CVE-2009-3297 and CVE-2010-0789. Ref.: http://seclists.org/fulldisclosure/2010/Nov/15 http://www.halfdog.net/Security/FuseTimerace/ Thanks, Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/ Reply at: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/comments/1 On 2010-11-05T12:00:10+00:00 Mszeredi wrote: Affected distributions with fuse 2.8.2 *OR* util-linux 2.17. This means everything except 11.3 and Factory: 11.1 11.2 sle10-sp3 sle11 sle11-moblin20 sle11-sp1 Relevant fuse commits: 4c3d9b1957 Use '--no-canonicalize' option of mount(8)... 0197ce4041 Using --no-canonicalize with umount(8) conflicts with... and util-linux commits: 45fc569a75 mount: add --no-canonicalize option be9adec40f mount: disable --no-canonicalize for non-root users Reply at: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/comments/2 On 2010-11-09T10:22:36+00:00 Thomas-novell wrote: P5-P4 mass change Reply at: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/comments/3 On 2010-11-12T13:38:54+00:00 Mszeredi wrote: Created an attachment (id=399921) fuse fix Looking deeper, the above is not entirely correct. Fuse versions 2.7.* and 2.8.* are all affected. The fix needs --no-canonicalize and -- fake options in umount(8), which is present in util-linux-ng = 2.18. The following commits need backporting to earlier versions of util- linux-ng: 45fc569a75 mount: add --no-canonicalize option be9adec40f mount: disable --no-canonicalize for non-root users 387ade2a24 umount: add --no-canonicalize 97a3cef4f1 umount: add --fake option to umount(8) 1cf4c20b19 mount: don't canonicalize spec with --no-canonicalize option Reply at: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/comments/4 On 2010-11-12T13:45:06+00:00 Mszeredi wrote: And a similar race exists during mount, so --no-canonicalize is needed in mount(8) too (covered by the commits listed above). Fuse versions 2.8.2 need to have these commits backported: 4c3d9b1957 Use '--no-canonicalize' option of mount(8)... 0197ce4041 Using --no-canonicalize with umount(8) conflicts with... Reply at: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/comments/5 On 2010-12-03T12:37:34+00:00 Mszeredi wrote: Updated util-linux and fuse packages have been submitted to the following projects: SUSE:SLE-10-SP3:Update:Test SUSE:SLE-10-SP4:Update:Test SUSE:SLE-11:Update:Test SUSE:SLE-11-SP1:Update:Test SUSE:Factory:Head openSUSE:11.2:Update:Test openSUSE:11.3:Update:Test In all 14 submitrequests. Reassigning to security team for further processing. Reply at: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/comments/6 On 2010-12-03T15:26:28+00:00 Thomas-novell wrote: Thanks a lot. (Note: It is still filed as planned update and will therefore be released later.) CVE-2010-3879: CVSS v2 Base Score: 3.6 (moderate) (AV:L/AC:L/Au:N/C:N/I:P/A:P): unknown (unknown) Reply at: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/comments/7 On 2010-12-08T14:13:59+00:00 Dmueller wrote: submitting it for SLE10 SP4 Reply at: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622/comments/8 On 2010-12-22T14:52:50+00:00 Swamp-suse wrote: The SWAMPID for this issue is 37926. This issue was rated as low. Please submit fixed packages until 2011-01-19. When done, please reassign the bug to security-t...@suse.de. Patchinfo will
[Bug 670622] Re: fusermount allows unmount any filesystem
This bug was fixed in the package fuse - 2.7.2-1ubuntu2.2 --- fuse (2.7.2-1ubuntu2.2) hardy-security; urgency=low * SECURITY UPDATE: arbitrary unprivileged unmount (LP: #670622) - debian/patches/CVE-2010-3879.dpatch: backported numerous fuse fixes from git tree to fix security issues. - Block SIGCHLD when executing mount and umount - Use --no-canonicalize' option of mount(8) - Fix race if two fusermount -u instances are run in parallel - Make sure the path to be unmounted doesn't refer to a symlink - Use umount --fake to update /etc/mtab - debian/patches/200-fix_mount_symlink_handling: removed, changes are in the new patch. - debian/control: make libfuse2 depend on version of mount that contains backported --fake support. - CVE-2010-3879 -- Marc Deslauriers marc.deslauri...@ubuntu.com Thu, 09 Dec 2010 16:27:05 -0500 ** Changed in: fuse (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/670622 Title: fusermount allows unmount any filesystem -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 670622] Re: fusermount allows unmount any filesystem
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-3879 -- fusermount allows unmount any filesystem https://bugs.launchpad.net/bugs/670622 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 670622] Re: fusermount allows unmount any filesystem
** Changed in: fuse (Ubuntu) Status: New = Confirmed ** Changed in: fuse (Ubuntu) Importance: Undecided = Medium -- fusermount allows unmount any filesystem https://bugs.launchpad.net/bugs/670622 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs