Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ glsa 201603-04 ] fuse
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2189

PostPosted: Wed Mar 09, 2016 6:26 pm    Post subject: [ glsa 201603-04 ] fuse Reply with quote

Gentoo Linux Security Advisory

Title: FUSE: incorrect filtering of environment variables leading to
privilege escalation
(GLSA 201603-04)
Severity: normal
Exploitable: local
Date: March 09, 2016
Bug(s): #550152
ID: 201603-04

Synopsis

The fusermount binary in FUSE does not properly clear the
environment before invoking mount or umount as root that allows a local
user to overwrite arbitrary files.


Background

FUSE provides an interface for filesystems implemented in userspace.

Affected Packages

Package: sys-fs/fuse
Vulnerable: < 2.9.4
Unaffected: >= 2.9.4
Architectures: All supported architectures


Description

The fusermount binary calls setuid(geteuid()) to reset the RUID when it
invokes /bin/mount so that it can use privileged mount options that are
normally restricted if RUID != EUID. FUSE does not properly clear
environment variables before invoking mount or umount as root allowing
this to be passed to operations using elevated privileges such as
LIBMOUNT_MTAB that is used by the mount commands debugging feature.


Impact

The FUSE vulnerability allows a local, unprivileged user to overwrite
arbitrary files on the system.


Workaround

There is no known work around at this time.

Resolution

All FUSE users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose ">=sys-fs/fuse-2.9.4"
   


References


CVE-2015-3202
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum