More CVE names have been assigned to this issue. Since we would need to fix them all to get a comprehensive fix, I'm noting them all here as opposed to filing new bugs.
Fuse tries to mount a directory without resolving symlinks, and then tries to update mtab. If it couldn't update mtab, it would unmount the directory while resolving symlinks this time, resulting in a different directory being unmounted.
Fuse uses the --no-canonicalize mount option to prevent a symlink attack on the mount point written to mtab. For backwards compatibility reasons, it would fallback to using mount in an insecure way. This fallback could get triggered by a user when an entry already existed in mtab.
All three of these issues allowed local users to trick fuse into unmounting arbitrary directories.
More CVE names have been assigned to this issue. Since we would need to fix them all to get a comprehensive fix, I'm noting them all here as opposed to filing new bugs.
Marc Deslauriers summarized the following on oss-security (http:// seclists. org/oss- sec/2011/ q1/173):
CVE-2011-0541:
http:// fuse.git. sourceforge. net/git/ gitweb. cgi?p=fuse/ fuse;a= commit; h=bf5ffb5fd8558 bd799791834def4 31c0cee5a11f
Fuse tries to mount a directory without resolving symlinks, and then tries to update mtab. If it couldn't update mtab, it would unmount the directory while resolving symlinks this time, resulting in a different directory being unmounted.
CVE-2011-0542:
http:// fuse.git. sourceforge. net/git/ gitweb. cgi?p=fuse/ fuse;a= commit; h=1e7607ff89c65 b005f69e27aeb16 49d624099873
This prevents local users from changing the location of the current directory from under fuse using a timing attack.
CVE-2011-0543:
http:// fuse.git. sourceforge. net/git/ gitweb. cgi?p=fuse/ fuse;a= commit; h=cbd3a2a84068a ae6e3fe32939d88 470d712dbf47
Fuse uses the --no-canonicalize mount option to prevent a symlink attack on the mount point written to mtab. For backwards compatibility reasons, it would fallback to using mount in an insecure way. This fallback could get triggered by a user when an entry already existed in mtab.
All three of these issues allowed local users to trick fuse into unmounting arbitrary directories.