Comment 37 for bug 670622

More CVE names have been assigned to this issue. Since we would need to fix them all to get a comprehensive fix, I'm noting them all here as opposed to filing new bugs.

Marc Deslauriers summarized the following on oss-security (http://seclists.org/oss-sec/2011/q1/173):

CVE-2011-0541:

http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f

Fuse tries to mount a directory without resolving symlinks, and then tries to update mtab. If it couldn't update mtab, it would unmount the directory while resolving symlinks this time, resulting in a different directory being unmounted.

CVE-2011-0542:

http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873

This prevents local users from changing the location of the current directory from under fuse using a timing attack.

CVE-2011-0543:

http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47

Fuse uses the --no-canonicalize mount option to prevent a symlink attack on the mount point written to mtab. For backwards compatibility reasons, it would fallback to using mount in an insecure way. This fallback could get triggered by a user when an entry already existed in mtab.

All three of these issues allowed local users to trick fuse into unmounting arbitrary directories.