Bug 16016 - fuse new security issue CVE-2015-3202
Summary: fuse new security issue CVE-2015-3202
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/645632/
Whiteboard: has_procedure advisory mga4-32-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-05-22 16:43 CEST by David Walser
Modified: 2015-05-27 18:58 CEST (History)
1 user (show)

See Also:
Source RPM: fuse-2.9.3-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-05-22 16:43:08 CEST
Debian and Ubuntu have issued advisories on May 21:
https://www.debian.org/security/2015/dsa-3266
http://www.ubuntu.com/usn/usn-2617-1/

They both also noted that ntfs-3g can be affected:
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-3202
https://www.debian.org/security/2015/dsa-3268

But that's only if it's built with an internal fuse, which ours is not.

Patches checked into Mageia 4 and Cauldron SVN.  Freeze push requested.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-05-22 16:48:42 CEST
More details on this issue are here:
https://marc.info/?l=oss-security&m=143222736930704&w=2
Comment 2 David Walser 2015-05-22 17:58:04 CEST
Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated fuse packages fix security vulnerability:

Tavis Ormandy discovered that FUSE incorrectly filtered environment variables.
A local attacker could use this issue to gain administrative privileges
(CVE-2015-3202).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3202
http://www.ubuntu.com/usn/usn-2617-1/
========================

Updated packages in core/updates_testing:
========================
fuse-2.9.3-2.1.mga4
libfuse-devel-2.9.3-2.1.mga4
libfuse2-2.9.3-2.1.mga4
libfuse-static-devel-2.9.3-2.1.mga4

from fuse-2.9.3-2.1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

David Walser 2015-05-22 18:28:24 CEST

URL: (none) => http://lwn.net/Vulnerabilities/645632/

Comment 3 claire robinson 2015-05-23 18:42:25 CEST
Advisory uploaded.

Whiteboard: (none) => advisory

Comment 4 claire robinson 2015-05-27 11:33:49 CEST
Testing complete mga4 64

Used sshfs-fuse to test. It uses ssh to mount a remote filesystem somewhere in userland. Helps to have passwordless login configured, but not necessary.

Mounted and unmounted a remote filesystem..

$ ls test2
$ sshfs cctv: test2/

Syntax is sshfs <host>:<path> <mount point>

$ ls test2
depcheck*  Documents/  Pictures/   tmp/ 
Desktop/   Downloads/  Music/      Templates/  Videos/

$ fusermount -u test2
$ ls test2
$

Whiteboard: advisory => has_procedure advisory mga4-64-ok

Comment 5 claire robinson 2015-05-27 18:43:54 CEST
Testing complete mga4 32

Validating.

Please push to 4 updates.

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-05-27 18:58:42 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0239.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.