Opened 9 years ago
Closed 9 years ago
#6527 closed enhancement (fixed)
fuse-2.9.4
Reported by: | Fernando de Oliveira | Owned by: | Fernando de Oliveira |
---|---|---|---|
Priority: | high | Milestone: | 7.8 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description
http://downloads.sourceforge.net/fuse/fuse-2.9.4.tar.gz
md5sum ecb712b5ffc6dffd54f4a405c9b372d8
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3202
http://seclists.org/oss-sec/2015/q2/520
https://bugzilla.redhat.com/show_bug.cgi?id=1224103#c0
Martin Prpic 2015-05-22 04:32:27 EDT It was foudn that FUSE, a Filesystem in USErspace, did not properly sanitize environment variables before executing a mount or umount operation with elevated privileges. A local attacker could use this flaw to overwrite arbitrary files on the system or escalate their privileges. Additional details: http://seclists.org/oss-sec/2015/q2/520 Patch proposed on distros is attached.
http://sourceforge.net/p/fuse/fuse/ci/fuse_2_9_bugfix/tree/ChangeLog
2015-05-22 Miklos Szeredi <miklos@szeredi.hu> * Released 2.9.4 * libfuse: fix exec environment for mount and umount. Found by Tavis Ormandy (CVE-2015-3202). * libfuse: fix fuse_remove_signal_handlers() to properly restore the default signal handler. Reported by: Chris Johnson * libfuse: highlevel API: fix directory file handle passed to ioctl() method. Reported by Eric Biggers * libfuse: document deadlock avoidance for fuse_notify_inval_entry() and fuse_notify_delete() * fusermount, libfuse: send value as unsigned in "user_id=" and "group_id=" options. Uids/gids larger than 2147483647 would result in EINVAL when mounting the filesystem. This also needs a fix in the kernel. * Initilaize stat buffer passed to ->getattr() and ->fgetattr() to zero in all cases. Reported by Daniel Iwan * libfuse: Add missing includes. This allows compiling fuse with musl. Patch by Daniel Thau
Change History (2)
comment:1 by , 9 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Fixed at r16015.