Ubuntu

fusermount allows unmount any filesystem

Reported by Paul Szabo on 2010-11-03
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fuse (Debian)
Fix Released
Unknown
fuse (Fedora)
Unknown
Unknown
fuse (Suse)
Fix Released
Medium
fuse (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: fuse-utils

As reported on a public mailing list, fusermount in Ubuntu allows
unprivileged users to unmount anything. For details, please see:

http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077247.html
http://bugs.debian.org/602333

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Paul Szabo (psz-maths) on 2010-11-03
visibility: private → public

Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

------------------------------------------------------------------------------
Date: Thu, 04 Nov 2010 15:45:33 -0400
From: Marc Deslauriers <email address hidden>
Subject: [oss-security] CVE request: fuse

Hello,

There is an issue with FUSE that lets unprivileged users unmount
arbitrary locations via a symlink attack. This is a different issue than
CVE-2009-3297 and CVE-2010-0789.

Ref.:

http://seclists.org/fulldisclosure/2010/Nov/15
http://www.halfdog.net/Security/FuseTimerace/

Thanks,

Marc.

--
Marc Deslauriers
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/

Affected distributions with fuse < 2.8.2 *OR* util-linux < 2.17. This means everything except 11.3 and Factory:

11.1
11.2
sle10-sp3
sle11
sle11-moblin20
sle11-sp1

Relevant fuse commits:

  4c3d9b1957 "Use '--no-canonicalize' option of mount(8)..."
  0197ce4041 "Using --no-canonicalize with umount(8) conflicts with..."

and util-linux commits:

  45fc569a75 "mount: add --no-canonicalize option"
  be9adec40f "mount: disable --no-canonicalize for non-root users"

P5->P4 mass change

Created an attachment (id=399921)
fuse fix

Looking deeper, the above is not entirely correct. Fuse versions 2.7.* and 2.8.* are all affected. The fix needs "--no-canonicalize" and "--fake" options in umount(8), which is present in util-linux-ng >= 2.18.

The following commits need backporting to earlier versions of util-linux-ng:

  45fc569a75 mount: add --no-canonicalize option
  be9adec40f mount: disable --no-canonicalize for non-root users
  387ade2a24 umount: add --no-canonicalize
  97a3cef4f1 umount: add --fake option to umount(8)
  1cf4c20b19 mount: don't canonicalize "spec" with --no-canonicalize option

And a similar race exists during mount, so --no-canonicalize is needed in mount(8) too (covered by the commits listed above).

Fuse versions <2.8.2 need to have these commits backported:

  4c3d9b1957 "Use '--no-canonicalize' option of mount(8)..."
  0197ce4041 "Using --no-canonicalize with umount(8) conflicts with..."

Changed in fuse (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium

Updated "util-linux" and "fuse" packages have been submitted to the following projects:

SUSE:SLE-10-SP3:Update:Test
SUSE:SLE-10-SP4:Update:Test
SUSE:SLE-11:Update:Test
SUSE:SLE-11-SP1:Update:Test
SUSE:Factory:Head
openSUSE:11.2:Update:Test
openSUSE:11.3:Update:Test

In all 14 submitrequests.

Reassigning to security team for further processing.

Thanks a lot. (Note: It is still filed as "planned update" and will therefore be released later.)

CVE-2010-3879: CVSS v2 Base Score: 3.6 (moderate) (AV:L/AC:L/Au:N/C:N/I:P/A:P): unknown (unknown)

submitting it for SLE10 SP4

The SWAMPID for this issue is 37926.
This issue was rated as low.
Please submit fixed packages until 2011-01-19.
When done, please reassign the bug to <email address hidden>.
Patchinfo will be handled by security team.

there is a conflicting util-linux submission on sle11sp1 from Petr (sr#9153). Could you please merge and resubmit?

(In reply to comment #11)
> there is a conflicting util-linux submission on sle11sp1 from Petr (sr#9153).
> Could you please merge and resubmit?

submitted a merged request: sr#9881.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fuse - 2.7.2-1ubuntu2.2

---------------
fuse (2.7.2-1ubuntu2.2) hardy-security; urgency=low

  * SECURITY UPDATE: arbitrary unprivileged unmount (LP: #670622)
    - debian/patches/CVE-2010-3879.dpatch: backported numerous fuse fixes
      from git tree to fix security issues.
      - Block SIGCHLD when executing mount and umount
      - Use "--no-canonicalize' option of mount(8)
      - Fix race if two "fusermount -u" instances are run in parallel
      - Make sure the path to be unmounted doesn't refer to a symlink
      - Use umount --fake to update /etc/mtab
    - debian/patches/200-fix_mount_symlink_handling: removed, changes are
      in the new patch.
    - debian/control: make libfuse2 depend on version of mount that
      contains backported --fake support.
    - CVE-2010-3879
 -- Marc Deslauriers <email address hidden> Thu, 09 Dec 2010 16:27:05 -0500

Changed in fuse (Ubuntu):
status: Confirmed → Fix Released
Changed in fuse (Suse):
importance: Unknown → Medium
status: Unknown → In Progress
Changed in fuse (Debian):
status: Unknown → New

Please wait with releasing an update until fixes are submitted for the new issue reported in bug 668820.

And let's also include bnc#667215 from the "planned update" list please.

Update released for: fuse, fuse-debuginfo, fuse-debugsource, fuse-devel, libblkid-devel, libblkid-devel-32bit, libblkid1, libblkid1-32bit, libblkid1-x86, libfuse2, libuuid-devel, libuuid-devel-32bit, libuuid1, libuuid1-32bit, libuuid1-x86, util-linux, util-linux-debuginfo, util-linux-debugsource, util-linux-lang, uuid-runtime
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

Update released for: fuse, fuse-debuginfo, fuse-debugsource, fuse-devel, fuse-devel-static, libblkid-devel, libblkid1, libblkid1-debuginfo, libfuse2, libfuse2-debuginfo, libuuid-devel, libuuid1, libuuid1-debuginfo, util-linux, util-linux-debuginfo, util-linux-debugsource, util-linux-lang, uuidd, uuidd-debuginfo
Products:
openSUSE 11.2 (debug, i586, x86_64)

Update released for: fuse, fuse-debuginfo, fuse-debugsource, fuse-devel, fuse-devel-static, libblkid-devel, libblkid1, libblkid1-debuginfo, libfuse2, libfuse2-debuginfo, libuuid-devel, libuuid1, libuuid1-debuginfo, util-linux, util-linux-debuginfo, util-linux-debugsource, util-linux-lang, uuidd, uuidd-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)

released

Update released for: fuse, fuse-debuginfo, fuse-devel, libfuse2, util-linux, util-linux-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-DESKTOP 10-SP3 (i386, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)

Update released for: fuse, fuse-debuginfo, fuse-devel, libfuse2
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)

Changed in fuse (Suse):
status: In Progress → Fix Released
Changed in fuse (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.