Bug 7063 - fuse 2.8.5 has several security vulnerabilities
: fuse 2.8.5 has several security vulnerabilities
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/430335/
: MGA1-64-OK MGA1-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-14 22:55 CEST by David Walser
Modified: 2012-11-23 21:29 CET (History)
6 users (show)

See Also:
Source RPM: fuse-2.8.5-1.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-08-14 22:55:08 CEST
RedHat has issued an advisory on July 20, 2011:
https://rhn.redhat.com/errata/RHSA-2011-1083.html

Other vendors issued advisories for these as well (OpenSuSE, Ubuntu, etc):
http://lwn.net/Vulnerabilities/423993/
http://lwn.net/Vulnerabilities/430335/

Patches should be available in the updated RedHat package.

I'm guessing that these were fixed by 2.8.7, which we have in Mageia 2.

Totally unrelated, but I'm curious if we're upgrading Cauldron to 2.9.x.
Comment 1 David Walser 2012-08-25 20:47:06 CEST
(In reply to comment #0)
> Totally unrelated, but I'm curious if we're upgrading Cauldron to 2.9.x.

fedya updated it to 2.9.1 in Cauldron.
Comment 2 Alexander Khryukin 2012-09-05 11:45:17 CEST
Yeap, i'm here.

In cauldron we have 2.9.1

if vulns still there i can backport patches.
Comment 3 David Walser 2012-09-05 13:58:31 CEST
Yes, Mageia 1 is still vulnerable.  I'm not 100% sure about Mageia 2, but guessing it's not.
Comment 4 Manuel Hiebel 2012-11-05 16:51:57 CET
This message is a reminder that Mageia 1 is nearing its end of life. 
In approximately 25 days from now, Mageia will stop maintaining and issuing 
updates for Mageia 1. At that time this bug will be closed as WONTFIX (EOL) if it 
remains open with a Mageia 'version' of '1'.

Package Maintainer: If you wish for this bug to remain open because you plan to 
fix it in a currently maintained version, simply change the 'version' to a later 
Mageia version prior to Mageia 1's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not 
be able to fix it before Mageia 1 is end of life.  If you would still like to see 
this bug fixed and are able to reproduce it against a later version of Mageia, 
you are encouraged to click on "Version" and change it against that version 
of Mageia.

Although we aim to fix as many bugs as possible during every release's lifetime, 
sometimes those efforts are overtaken by events. Often a more recent Mageia 
release includes newer upstream software that fixes bugs or makes them obsolete.

--
Mageia Bugsquad
Comment 5 David Walser 2012-11-21 17:14:40 CET
Patched package uploaded for Mageia 1.

Note to QA: the RedHat bug has discussion about reproducing the issue(s):
https://bugzilla.redhat.com/show_bug.cgi?id=651183

Advisory:
========================

Updated fuse packages fix security vulnerabilities:

Multiple flaws were found in the way fusermount handled the mounting and
unmounting of directories when symbolic links were present. A local user in
the fuse group could use these flaws to unmount file systems, which they
would otherwise not be able to unmount and that were not mounted using
FUSE, via a symbolic link attack (CVE-2010-3879, CVE-2011-0541,
CVE-2011-0542, CVE-2011-0543).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3879
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0542
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0543
https://rhn.redhat.com/errata/RHSA-2011-1083.html
========================

Updated packages in core/updates_testing:
========================
fuse-2.8.5-1.1.mga1
libfuse-devel-2.8.5-1.1.mga1
libfuse2-2.8.5-1.1.mga1
libfuse-static-devel-2.8.5-1.1.mga1

from fuse-2.8.5-1.1.mga1.src.rpm
Comment 6 Dave Hodgins 2012-11-22 01:50:34 CET
Trying to run the poc in Mageia 1 i586 ...
$ ./testfuse.sh 
pre-run, make sure ps is working
dave      6459  0.0  0.0   5864  1000 pts/1    S+   19:44   0:00 /bin/bash ./testfuse.sh
dave      6460  0.0  0.0   5576   968 pts/1    R+   19:44   0:00 ps aux
dave      6461  0.0  0.0   5088   576 pts/1    S+   19:44   0:00 tail -3
FuseMinimal: no process found
Using target call count 8
fuse: mountpoint is not empty
fuse: if you are sure this is safe, use the 'nonempty' mount option
fusermount: entry for /proc not found in /etc/mtab
post-run, is ps still working?
dave      6466  0.0  0.0   1832   228 pts/1    S+   19:44   0:00 ./DirModifyInotify --Watch tmp/proc --Watch /etc/mtab --WatchCount 8 --MovePath tmp --LinkTarget /
dave      6471  0.0  0.0   5576   972 pts/1    R+   19:45   0:00 ps aux
dave      6472  0.0  0.0   5088   580 pts/1    S+   19:45   0:00 tail -3

So the poc doesn't seem to be working.

I'll just test that the updated fuse is working, by mounting an ntfs filesystem.
Comment 7 Dave Hodgins 2012-11-22 02:08:15 CET
Testing complete on Mageia 1 i586 and x86-64.

Could someone from the sysadmin team push the srpm
fuse-2.8.5-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated fuse packages fix security vulnerabilities:

Multiple flaws were found in the way fusermount handled the mounting and
unmounting of directories when symbolic links were present. A local user in
the fuse group could use these flaws to unmount file systems, which they
would otherwise not be able to unmount and that were not mounted using
FUSE, via a symbolic link attack (CVE-2010-3879, CVE-2011-0541,
CVE-2011-0542, CVE-2011-0543).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3879
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0542
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0543
https://rhn.redhat.com/errata/RHSA-2011-1083.html

https://bugs.mageia.org/show_bug.cgi?id=7063
Comment 8 Thomas Backlund 2012-11-23 21:29:52 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0339

Note You need to log in before you can comment on or make changes to this bug.