Debian Bug report logs - #602333
/usr/bin/fusermount: fusermount allows unmount any filesystem

version graph

Package: fuse-utils; Maintainer for fuse-utils is Daniel Baumann <daniel.baumann@progress-technologies.net>; Source for fuse-utils is src:fuse.

Reported by: Paul Szabo <paul.szabo@sydney.edu.au>

Date: Wed, 3 Nov 2010 20:27:01 UTC

Severity: grave

Tags: security, squeeze-ignore

Found in versions fuse/2.8.4-1.1, fuse/2.7.4-1.1+lenny1

Fixed in version 2.8.5-1

Done: Daniel Baumann <daniel.baumann@progress-technologies.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils. (Wed, 03 Nov 2010 20:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <paul.szabo@sydney.edu.au>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bartosz Fenski <fenio@debian.org>. (Wed, 03 Nov 2010 20:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Paul Szabo <paul.szabo@sydney.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/bin/fusermount: fusermount allows unmount any filesystem
Date: Thu, 04 Nov 2010 07:24:56 +1100
[Message part 1 (text/plain, inline)]
Package: fuse-utils
Version: 2.7.4-1.1+lenny1
Severity: grave
File: /usr/bin/fusermount
Tags: security
Justification: user security hole


As reported on a public mailing list, fusermount in Ubuntu allows
unprivileged users to unmount anything. I wonder if Debian is affected.
Relevant files attached below.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-pk04.00-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages fuse-utils depends on:
ii  adduser                 3.110            add and remove users and groups
ii  libc6                   2.7-18lenny6     GNU C Library: Shared libraries
ii  libfuse2                2.7.4-1.1+lenny1 Filesystem in USErspace library
ii  makedev                 2.3.1-88         creates device files in /dev
ii  sed                     4.1.5-6          The GNU sed stream editor
ii  udev                    0.125-7+lenny3   /dev/ and hotplug management daemo

fuse-utils recommends no packages.

fuse-utils suggests no packages.

-- no debconf information
[lists.grok.org.uk:pipermail:full-disclosure:2010-November:077247.html (text/html, attachment)]
[www.halfdog.net:Security:FuseTimerace:index.html (application/xml, attachment)]
[FuseMinimal.c (text/plain, attachment)]
[DirModifyInotify.c (text/x-pascal, attachment)]
[Test.sh (text/x-shellscript, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils. (Wed, 03 Nov 2010 21:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. (Wed, 03 Nov 2010 21:00:03 GMT) Full text and rfc822 format available.

Message #10 received at 602333@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Paul Szabo <paul.szabo@sydney.edu.au>, 602333@bugs.debian.org
Subject: Re: Bug#602333: /usr/bin/fusermount: fusermount allows unmount any filesystem
Date: Wed, 03 Nov 2010 20:56:15 +0000
On Thu, 2010-11-04 at 07:24 +1100, Paul Szabo wrote:
> As reported on a public mailing list, fusermount in Ubuntu allows
> unprivileged users to unmount anything. I wonder if Debian is affected.

It would be more helpful if you checked, before filing grave bugs on
packages.

This sounds very much like CVE-2009-3297, which has been fixed in
unstable, testing and stable since February (see DSA-1989-1).

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils. (Wed, 03 Nov 2010 21:36:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. (Wed, 03 Nov 2010 21:36:06 GMT) Full text and rfc822 format available.

Message #15 received at 602333@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 602333@bugs.debian.org, adam@adam-barratt.org.uk
Subject: Re: Bug#602333: /usr/bin/fusermount: fusermount allows unmount any filesystem
Date: Thu, 4 Nov 2010 08:34:02 +1100
Dear Adam,

> It would be more helpful if you checked, before filing grave bugs on
> packages.

I apologize for my laziness. I do not normally use fuse. Maybe I could
set up a test machine, but (unless succeeded in the exploit) would not
properly know whether Debian was safe. I thought it was better to warn
now, than leave blissfully vulnerable.

> This sounds very much like CVE-2009-3297, which has been fixed in
> unstable, testing and stable since February (see DSA-1989-1).

The page  http://www.debian.org/security/2010/dsa-1989  refers to
http://bugs.debian.org/567633  which says:
  a race condition if two fusermount -u instances are run in paralell
so that does not seem to be the same issue.

The page  http://security-tracker.debian.org/tracker/DSA-1989-1  points
to  http://security-tracker.debian.org/tracker/CVE-2010-0789  which
mentions "a symlink attack", which may be closer to this issue.

I would expect DSA-1989 to have been adopted and fixed by Ubuntu,
where the original poster says he found the issue.

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils. (Mon, 22 Nov 2010 19:51:19 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. (Mon, 22 Nov 2010 19:51:19 GMT) Full text and rfc822 format available.

Message #20 received at 602333@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 602333@bugs.debian.org, adam@adam-barratt.org.uk
Subject: Re: Bug#602333: /usr/bin/fusermount: fusermount allows unmount any filesystem
Date: Tue, 23 Nov 2010 06:50:10 +1100
Ubuntu has now added the reference CVE-2010-3879 to
https://bugs.launchpad.net/bugs/670622 and marked in "confirmed".
Other interesting references:
https://bugzilla.redhat.com/show_bug.cgi?id=651183
https://bugzilla.novell.com/show_bug.cgi?id=651598

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Bug Marked as found in versions fuse/2.8.4-1.1. Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Wed, 15 Dec 2010 22:30:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils. (Sun, 26 Dec 2010 17:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. (Sun, 26 Dec 2010 17:39:03 GMT) Full text and rfc822 format available.

Message #27 received at 602333@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: paul.szabo@sydney.edu.au, 602333@bugs.debian.org
Cc: adam@adam-barratt.org.uk
Subject: Re: Bug#602333: /usr/bin/fusermount: fusermount allows unmount any filesystem
Date: Sun, 26 Dec 2010 18:36:43 +0100
[Message part 1 (text/plain, inline)]
user release.debian.org@packages.debian.org
usertag 602333 squeeze-can-defer
kthxbye

On Tue, Nov 23, 2010 at 06:50:10 +1100, paul.szabo@sydney.edu.au wrote:

> Ubuntu has now added the reference CVE-2010-3879 to
> https://bugs.launchpad.net/bugs/670622 and marked in "confirmed".
> Other interesting references:
> https://bugzilla.redhat.com/show_bug.cgi?id=651183
> https://bugzilla.novell.com/show_bug.cgi?id=651598
> 
Looks like there's still no fix available?  Tagging as can-defer for
squeeze, this can be handled through security.d.o or a point release.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils. (Sun, 02 Jan 2011 19:09:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. (Sun, 02 Jan 2011 19:09:10 GMT) Full text and rfc822 format available.

Message #32 received at 602333@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 602333@bugs.debian.org, Paul Szabo <paul.szabo@sydney.edu.au>, Miklos Szeredi <mszeredi@inf.bme.hu>
Subject: Re: /usr/bin/fusermount: fusermount allows unmount any filesystem
Date: Sun, 02 Jan 2011 19:06:29 +0000
[Message part 1 (text/plain, inline)]
I've been trying to get to the bottom of this bug over the past day, not
helped by libfuse redirecting fusermount's stderr to /dev/null.

There are actually two bugs here with roughly the same effect.

When mounting, fusermount must:
1. Make the mount() system call;
2. Run the mount command to record the mountpoint in /etc/mtab;
3. If (2) fails then unmount using the umount2() system call.

We must prevent the mount command from canonicalising symlinks when
adding to /etc/mtab.  This is supposed to be done already, but there is
an automatic fallback for compatibility with old versions of the mount
command which can be exploited by forcing the first invocation to fail.

Currently (3) uses the absolute path, which may have been redirected
since (1).

I'll apply the attached patch for squeeze.  Unfortunately we cannot fix
the first bug on lenny as its version of mount does not support
--no-canonicalize.  There is no point in fixing only one of the bugs.

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[004-CVE-2010-3879.dpatch (application/x-shellscript, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils. (Sun, 02 Jan 2011 19:15:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. (Sun, 02 Jan 2011 19:15:18 GMT) Full text and rfc822 format available.

Message #37 received at 602333@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 602333@bugs.debian.org
Cc: Paul Szabo <paul.szabo@sydney.edu.au>, Miklos Szeredi <mszeredi@inf.bme.hu>
Subject: Re: /usr/bin/fusermount: fusermount allows unmount any filesystem
Date: Sun, 02 Jan 2011 19:14:53 +0000
[Message part 1 (text/plain, inline)]
On Sun, 2011-01-02 at 19:06 +0000, Ben Hutchings wrote:

> I'll apply the attached patch for squeeze.  Unfortunately we cannot fix
> the first bug on lenny as its version of mount does not support
> --no-canonicalize.  There is no point in fixing only one of the bugs.

Actually, this doesn't quite work: the call to umount2() will refer to
the mountpoint directory (now hidden) whereas we need to refer to the
mounted directory.  Maybe this call should be removed completely, as I
don't think it can be made reliable.

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[signature.asc (application/pgp-signature, inline)]

Added tag(s) squeeze-ignore. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Tue, 04 Jan 2011 20:21:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#602333; Package fuse-utils. (Wed, 19 Jan 2011 20:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. (Wed, 19 Jan 2011 20:21:03 GMT) Full text and rfc822 format available.

Message #44 received at 602333@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 602333@bugs.debian.org
Subject: Re: /usr/bin/fusermount: fusermount allows unmount any filesystem
Date: Thu, 20 Jan 2011 07:16:39 +1100
Ubuntu claims to have this fixed:
https://bugs.launchpad.net/bugs/670622
http://www.ubuntu.com/usn/usn-1045-1
http://www.ubuntu.com/usn/usn-1045-2
Last two references not yet available, see
https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-January/date.html
instead.

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Reply sent to daniel.baumann@progress-technologies.net:
You have taken responsibility. (Thu, 26 May 2011 09:42:10 GMT) Full text and rfc822 format available.

Notification sent to Paul Szabo <paul.szabo@sydney.edu.au>:
Bug acknowledged by developer. (Thu, 26 May 2011 09:42:13 GMT) Full text and rfc822 format available.

Message #49 received at 602333-done@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@progress-technologies.net>
To: 602333-done@bugs.debian.org
Subject: Re: /usr/bin/fusermount: fusermount allows unmount any filesystem
Date: Thu, 26 May 2011 11:39:42 +0200
Version: 2.8.5-1

-- 
Address:        Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email:          daniel.baumann@progress-technologies.net
Internet:       http://people.progress-technologies.net/~daniel.baumann/




Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@progress-technologies.net>:
Bug#602333; Package fuse-utils. (Sun, 08 Jul 2012 20:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@progress-technologies.net>. (Sun, 08 Jul 2012 20:15:04 GMT) Full text and rfc822 format available.

Message #54 received at 602333@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 602333@bugs.debian.org
Subject: Re: /usr/bin/fusermount: fusermount allows unmount any filesystem
Date: Sun, 08 Jul 2012 15:24:43 -0000
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/602333/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51





Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@progress-technologies.net>:
Bug#602333; Package fuse-utils. (Sun, 08 Jul 2012 21:18:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@progress-technologies.net>. (Sun, 08 Jul 2012 21:21:24 GMT) Full text and rfc822 format available.

Message #59 received at 602333@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 602333@bugs.debian.org
Subject: Re: /usr/bin/fusermount: fusermount allows unmount any filesystem
Date: Sun, 08 Jul 2012 17:38:26 -0000
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/602333/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:38:54 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 13:33:26 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.