Bug 16016

Summary: fuse new security issue CVE-2015-3202
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/645632/
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: fuse-2.9.3-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-05-22 16:43:08 CEST 
Debian and Ubuntu have issued advisories on May 21:
https://www.debian.org/security/2015/dsa-3266
http://www.ubuntu.com/usn/usn-2617-1/

They both also noted that ntfs-3g can be affected:
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-3202
https://www.debian.org/security/2015/dsa-3268

But that's only if it's built with an internal fuse, which ours is not.

Patches checked into Mageia 4 and Cauldron SVN.  Freeze push requested.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-05-22 16:48:42 CEST 
More details on this issue are here:
https://marc.info/?l=oss-security&m=143222736930704&w=2
Comment 2 David Walser 2015-05-22 17:58:04 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated fuse packages fix security vulnerability:

Tavis Ormandy discovered that FUSE incorrectly filtered environment variables.
A local attacker could use this issue to gain administrative privileges
(CVE-2015-3202).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3202
http://www.ubuntu.com/usn/usn-2617-1/
========================

Updated packages in core/updates_testing:
========================
fuse-2.9.3-2.1.mga4
libfuse-devel-2.9.3-2.1.mga4
libfuse2-2.9.3-2.1.mga4
libfuse-static-devel-2.9.3-2.1.mga4

from fuse-2.9.3-2.1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

David Walser 2015-05-22 18:28:24 CEST

URL: (none) => http://lwn.net/Vulnerabilities/645632/

Comment 3 claire robinson 2015-05-23 18:42:25 CEST 
Advisory uploaded.

Whiteboard: (none) => advisory

Comment 4 claire robinson 2015-05-27 11:33:49 CEST 
Testing complete mga4 64

Used sshfs-fuse to test. It uses ssh to mount a remote filesystem somewhere in userland. Helps to have passwordless login configured, but not necessary.

Mounted and unmounted a remote filesystem..

$ ls test2
$ sshfs cctv: test2/

Syntax is sshfs <host>:<path> <mount point>

$ ls test2
depcheck*  Documents/  Pictures/   tmp/ 
Desktop/   Downloads/  Music/      Templates/  Videos/

$ fusermount -u test2
$ ls test2
$

Whiteboard: advisory => has_procedure advisory mga4-64-ok

Comment 5 claire robinson 2015-05-27 18:43:54 CEST 
Testing complete mga4 32

Validating.

Please push to 4 updates.

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-05-27 18:58:42 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0239.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED