RedHat has issued an advisory on July 20, 2011: https://rhn.redhat.com/errata/RHSA-2011-1083.html Other vendors issued advisories for these as well (OpenSuSE, Ubuntu, etc): http://lwn.net/Vulnerabilities/423993/ http://lwn.net/Vulnerabilities/430335/ Patches should be available in the updated RedHat package. I'm guessing that these were fixed by 2.8.7, which we have in Mageia 2. Totally unrelated, but I'm curious if we're upgrading Cauldron to 2.9.x.
CC: (none) => mageia
CC: (none) => eandryAssignee: bugsquad => mageia
(In reply to comment #0) > Totally unrelated, but I'm curious if we're upgrading Cauldron to 2.9.x. fedya updated it to 2.9.1 in Cauldron.
CC: (none) => alexander
Yeap, i'm here. In cauldron we have 2.9.1 if vulns still there i can backport patches.
Yes, Mageia 1 is still vulnerable. I'm not 100% sure about Mageia 2, but guessing it's not.
This message is a reminder that Mageia 1 is nearing its end of life. In approximately 25 days from now, Mageia will stop maintaining and issuing updates for Mageia 1. At that time this bug will be closed as WONTFIX (EOL) if it remains open with a Mageia 'version' of '1'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Mageia version prior to Mageia 1's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Mageia 1 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Mageia, you are encouraged to click on "Version" and change it against that version of Mageia. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Mageia release includes newer upstream software that fixes bugs or makes them obsolete. -- Mageia Bugsquad
Patched package uploaded for Mageia 1. Note to QA: the RedHat bug has discussion about reproducing the issue(s): https://bugzilla.redhat.com/show_bug.cgi?id=651183 Advisory: ======================== Updated fuse packages fix security vulnerabilities: Multiple flaws were found in the way fusermount handled the mounting and unmounting of directories when symbolic links were present. A local user in the fuse group could use these flaws to unmount file systems, which they would otherwise not be able to unmount and that were not mounted using FUSE, via a symbolic link attack (CVE-2010-3879, CVE-2011-0541, CVE-2011-0542, CVE-2011-0543). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3879 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0542 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0543 https://rhn.redhat.com/errata/RHSA-2011-1083.html ======================== Updated packages in core/updates_testing: ======================== fuse-2.8.5-1.1.mga1 libfuse-devel-2.8.5-1.1.mga1 libfuse2-2.8.5-1.1.mga1 libfuse-static-devel-2.8.5-1.1.mga1 from fuse-2.8.5-1.1.mga1.src.rpm
Assignee: mageia => qa-bugs
Trying to run the poc in Mageia 1 i586 ... $ ./testfuse.sh pre-run, make sure ps is working dave 6459 0.0 0.0 5864 1000 pts/1 S+ 19:44 0:00 /bin/bash ./testfuse.sh dave 6460 0.0 0.0 5576 968 pts/1 R+ 19:44 0:00 ps aux dave 6461 0.0 0.0 5088 576 pts/1 S+ 19:44 0:00 tail -3 FuseMinimal: no process found Using target call count 8 fuse: mountpoint is not empty fuse: if you are sure this is safe, use the 'nonempty' mount option fusermount: entry for /proc not found in /etc/mtab post-run, is ps still working? dave 6466 0.0 0.0 1832 228 pts/1 S+ 19:44 0:00 ./DirModifyInotify --Watch tmp/proc --Watch /etc/mtab --WatchCount 8 --MovePath tmp --LinkTarget / dave 6471 0.0 0.0 5576 972 pts/1 R+ 19:45 0:00 ps aux dave 6472 0.0 0.0 5088 580 pts/1 S+ 19:45 0:00 tail -3 So the poc doesn't seem to be working. I'll just test that the updated fuse is working, by mounting an ntfs filesystem.
CC: (none) => davidwhodgins
Testing complete on Mageia 1 i586 and x86-64. Could someone from the sysadmin team push the srpm fuse-2.8.5-1.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated fuse packages fix security vulnerabilities: Multiple flaws were found in the way fusermount handled the mounting and unmounting of directories when symbolic links were present. A local user in the fuse group could use these flaws to unmount file systems, which they would otherwise not be able to unmount and that were not mounted using FUSE, via a symbolic link attack (CVE-2010-3879, CVE-2011-0541, CVE-2011-0542, CVE-2011-0543). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3879 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0542 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0543 https://rhn.redhat.com/errata/RHSA-2011-1083.html https://bugs.mageia.org/show_bug.cgi?id=7063
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => MGA1-64-OK MGA1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0339
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED