"mount" decodes newlines from /etc/mtab which may confuse 3rd party scripts
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
util-linux (Ubuntu) |
Confirmed
|
Low
|
Unassigned |
Bug Description
fusermount fails to sanitize the names of user-provided filesystems when writing to /etc/mtab, allowing unprivileged users to insert newline characters into /etc/mtab and, subsequently, insert or modify mount options for other devices, leading to denial of service conditions, the ability to unmount arbitrary filesystems, or potentially escalate privileges.
As an example, a typical mtab entry for the "hello" example filesystem provided with the fuse-utils package looks like this:
drosenbe@
drosenbe@
...
hello on /home/drosenbe/
If I simply rename this filesystem to "hello\nthese are my new evil mount options\nhello" and mount it, /etc/mtab looks like:
drosenbe@
these are my new evil mount options
hello' mount/
drosenbe@
...
hello
these are my new evil mount options
hello on /home/drosenbe/
these are my new evil mount options
hello (rw,nosuid,
You may experience some weird behavior with newlines depending on your terminal, so I recommend writing a quick C wrapper and calling rename() to make sure the filename is correct.
Note that this is similar to CVE-2005-3531, but differs in that the old issue allowed corruption via newlines in the mount point names (and was subsequently fixed), but this new issue allows corruption via newlines in filesystem names.
On a related note, it might be a good idea to make fusermount only executable by those in the fuse group - on my stock Lucid install, it's 4755.
summary: |
- fuse allows mtab corruption via crafted filesystem name + "mount" decodes newlines from /etc/mtab which may confuse 3rd party + scripts |
visibility: | private → public |
Changed in util-linux (Ubuntu): | |
assignee: | Jamie Strandboge (jdstrand) → nobody |
Thanks for the report. I can confirm this.
I think fuse is available to all by default because of gvfs, but we will check into it.