Debian Bug report logs -
#602333
/usr/bin/fusermount: fusermount allows unmount any filesystem
Reported by: Paul Szabo <paul.szabo@sydney.edu.au>
Date: Wed, 3 Nov 2010 20:27:01 UTC
Severity: grave
Tags: security, squeeze-ignore
Found in versions fuse/2.8.4-1.1, fuse/2.7.4-1.1+lenny1
Fixed in version 2.8.5-1
Done: Daniel Baumann <daniel.baumann@progress-technologies.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils.
(Wed, 03 Nov 2010 20:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Szabo <paul.szabo@sydney.edu.au>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bartosz Fenski <fenio@debian.org>.
(Wed, 03 Nov 2010 20:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: fuse-utils
Version: 2.7.4-1.1+lenny1
Severity: grave
File: /usr/bin/fusermount
Tags: security
Justification: user security hole
As reported on a public mailing list, fusermount in Ubuntu allows
unprivileged users to unmount anything. I wonder if Debian is affected.
Relevant files attached below.
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 5.0.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-pk04.00-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages fuse-utils depends on:
ii adduser 3.110 add and remove users and groups
ii libc6 2.7-18lenny6 GNU C Library: Shared libraries
ii libfuse2 2.7.4-1.1+lenny1 Filesystem in USErspace library
ii makedev 2.3.1-88 creates device files in /dev
ii sed 4.1.5-6 The GNU sed stream editor
ii udev 0.125-7+lenny3 /dev/ and hotplug management daemo
fuse-utils recommends no packages.
fuse-utils suggests no packages.
-- no debconf information
[lists.grok.org.uk:pipermail:full-disclosure:2010-November:077247.html (text/html, attachment)]
[www.halfdog.net:Security:FuseTimerace:index.html (application/xml, attachment)]
[FuseMinimal.c (text/plain, attachment)]
[DirModifyInotify.c (text/x-pascal, attachment)]
[Test.sh (text/x-shellscript, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils.
(Wed, 03 Nov 2010 21:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>.
(Wed, 03 Nov 2010 21:00:03 GMT) (full text, mbox, link).
Message #10 received at 602333@bugs.debian.org (full text, mbox, reply):
On Thu, 2010-11-04 at 07:24 +1100, Paul Szabo wrote:
> As reported on a public mailing list, fusermount in Ubuntu allows
> unprivileged users to unmount anything. I wonder if Debian is affected.
It would be more helpful if you checked, before filing grave bugs on
packages.
This sounds very much like CVE-2009-3297, which has been fixed in
unstable, testing and stable since February (see DSA-1989-1).
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils.
(Wed, 03 Nov 2010 21:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>.
(Wed, 03 Nov 2010 21:36:06 GMT) (full text, mbox, link).
Message #15 received at 602333@bugs.debian.org (full text, mbox, reply):
Dear Adam,
> It would be more helpful if you checked, before filing grave bugs on
> packages.
I apologize for my laziness. I do not normally use fuse. Maybe I could
set up a test machine, but (unless succeeded in the exploit) would not
properly know whether Debian was safe. I thought it was better to warn
now, than leave blissfully vulnerable.
> This sounds very much like CVE-2009-3297, which has been fixed in
> unstable, testing and stable since February (see DSA-1989-1).
The page http://www.debian.org/security/2010/dsa-1989 refers to
http://bugs.debian.org/567633 which says:
a race condition if two fusermount -u instances are run in paralell
so that does not seem to be the same issue.
The page http://security-tracker.debian.org/tracker/DSA-1989-1 points
to http://security-tracker.debian.org/tracker/CVE-2010-0789 which
mentions "a symlink attack", which may be closer to this issue.
I would expect DSA-1989 to have been adopted and fixed by Ubuntu,
where the original poster says he found the issue.
Cheers, Paul
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded
to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils.
(Mon, 22 Nov 2010 19:51:19 GMT) (full text, mbox, link).
Acknowledgement sent
to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>.
(Mon, 22 Nov 2010 19:51:19 GMT) (full text, mbox, link).
Message #20 received at 602333@bugs.debian.org (full text, mbox, reply):
Ubuntu has now added the reference CVE-2010-3879 to
https://bugs.launchpad.net/bugs/670622 and marked in "confirmed".
Other interesting references:
https://bugzilla.redhat.com/show_bug.cgi?id=651183
https://bugzilla.novell.com/show_bug.cgi?id=651598
Cheers, Paul
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Bug Marked as found in versions fuse/2.8.4-1.1.
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Wed, 15 Dec 2010 22:30:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils.
(Sun, 26 Dec 2010 17:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>.
(Sun, 26 Dec 2010 17:39:03 GMT) (full text, mbox, link).
Message #27 received at 602333@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
user release.debian.org@packages.debian.org
usertag 602333 squeeze-can-defer
kthxbye
On Tue, Nov 23, 2010 at 06:50:10 +1100, paul.szabo@sydney.edu.au wrote:
> Ubuntu has now added the reference CVE-2010-3879 to
> https://bugs.launchpad.net/bugs/670622 and marked in "confirmed".
> Other interesting references:
> https://bugzilla.redhat.com/show_bug.cgi?id=651183
> https://bugzilla.novell.com/show_bug.cgi?id=651598
>
Looks like there's still no fix available? Tagging as can-defer for
squeeze, this can be handled through security.d.o or a point release.
Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils.
(Sun, 02 Jan 2011 19:09:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>.
(Sun, 02 Jan 2011 19:09:10 GMT) (full text, mbox, link).
Message #32 received at 602333@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I've been trying to get to the bottom of this bug over the past day, not
helped by libfuse redirecting fusermount's stderr to /dev/null.
There are actually two bugs here with roughly the same effect.
When mounting, fusermount must:
1. Make the mount() system call;
2. Run the mount command to record the mountpoint in /etc/mtab;
3. If (2) fails then unmount using the umount2() system call.
We must prevent the mount command from canonicalising symlinks when
adding to /etc/mtab. This is supposed to be done already, but there is
an automatic fallback for compatibility with old versions of the mount
command which can be exploited by forcing the first invocation to fail.
Currently (3) uses the absolute path, which may have been redirected
since (1).
I'll apply the attached patch for squeeze. Unfortunately we cannot fix
the first bug on lenny as its version of mount does not support
--no-canonicalize. There is no point in fixing only one of the bugs.
Ben.
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[004-CVE-2010-3879.dpatch (application/x-shellscript, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils.
(Sun, 02 Jan 2011 19:15:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>.
(Sun, 02 Jan 2011 19:15:18 GMT) (full text, mbox, link).
Message #37 received at 602333@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, 2011-01-02 at 19:06 +0000, Ben Hutchings wrote:
> I'll apply the attached patch for squeeze. Unfortunately we cannot fix
> the first bug on lenny as its version of mount does not support
> --no-canonicalize. There is no point in fixing only one of the bugs.
Actually, this doesn't quite work: the call to umount2() will refer to
the mountpoint directory (now hidden) whereas we need to refer to the
mounted directory. Maybe this call should be removed completely, as I
don't think it can be made reliable.
Ben.
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[signature.asc (application/pgp-signature, inline)]
Added tag(s) squeeze-ignore.
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org.
(Tue, 04 Jan 2011 20:21:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils.
(Wed, 19 Jan 2011 20:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>.
(Wed, 19 Jan 2011 20:21:03 GMT) (full text, mbox, link).
Message #44 received at 602333@bugs.debian.org (full text, mbox, reply):
Ubuntu claims to have this fixed:
https://bugs.launchpad.net/bugs/670622
http://www.ubuntu.com/usn/usn-1045-1
http://www.ubuntu.com/usn/usn-1045-2
Last two references not yet available, see
https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-January/date.html
instead.
Cheers, Paul
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Reply sent
to daniel.baumann@progress-technologies.net:
You have taken responsibility.
(Thu, 26 May 2011 09:42:10 GMT) (full text, mbox, link).
Notification sent
to Paul Szabo <paul.szabo@sydney.edu.au>:
Bug acknowledged by developer.
(Thu, 26 May 2011 09:42:13 GMT) (full text, mbox, link).
Message #49 received at 602333-done@bugs.debian.org (full text, mbox, reply):
Version: 2.8.5-1
--
Address: Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email: daniel.baumann@progress-technologies.net
Internet: http://people.progress-technologies.net/~daniel.baumann/
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@progress-technologies.net>:
Bug#602333; Package fuse-utils.
(Sun, 08 Jul 2012 20:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@progress-technologies.net>.
(Sun, 08 Jul 2012 20:15:04 GMT) (full text, mbox, link).
Message #54 received at 602333@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/602333/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@progress-technologies.net>:
Bug#602333; Package fuse-utils.
(Sun, 08 Jul 2012 21:18:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@progress-technologies.net>.
(Sun, 08 Jul 2012 21:21:24 GMT) (full text, mbox, link).
Message #59 received at 602333@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/602333/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 05 May 2013 07:38:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:24:06 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon