It was foudn that FUSE, a Filesystem in USErspace, did not properly sanitize environment variables before executing a mount or umount operation with elevated privileges. A local attacker could use this flaw to overwrite arbitrary files on the system or escalate their privileges. Additional details: http://seclists.org/oss-sec/2015/q2/520 Patch proposed on distros is attached.
Created attachment 1028606 [details] CVE-2015-3202.patch
Created ntfs-3g tracking bugs for this issue: Affects: fedora-all [bug 1224105] Affects: epel-all [bug 1224108]
Created fuse tracking bugs for this issue: Affects: fedora-all [bug 1224104]
Upstream commit: http://sourceforge.net/p/fuse/fuse/ci/fe2d96/ On affected systems, this issue would allow local users to escalate their privileges to root, and hence would be rated as Important impact issue. Red Hat Enterprise Linux is not affected by the published attack. On Red Hat Enterprise Linux 7, /etc/mtab is not a regular file but a symlink to /proc/self/mtab. That prevents fusermount from running mount and umount (see mtab_needs_update() function). Even though mount and umount in Red Hat Enterprise Linux 7 use libmount that supports reading LIBMOUNT_MTAB environment variable, they are not run by fusermount. Similar applies to current Fedora versions. On Red Hat Enterprise Linux 5 and 6, /etc/mtab is regular file and hence fusermount runs mount and umount commands. However, mount and umount in Red Hat Enterprise Linux 6 and earlier do not use libmount (on Red Hat Enterprise Linux 6, libmount is part of the util-linux-ng packages, but not used by mount and umount commands; on Red Hat Enterprise Linux 5, the util-linux packages do not contain libmount library). Red Hat Enterprise Linux 7 Hypervisor contains the libguestfs-winsupport packages, which includes ntfs-3g. However, ntfs-3g is not installed as setuid root and hence there is no privilege escalation risk.
ntfs-3g-2015.3.14-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
ntfs-3g-2015.3.14-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
fuse-2.9.4-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
fuse-2.9.4-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
ntfs-3g-2015.3.14-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
ntfs-3g-2015.3.14-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
fuse-2.9.4-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
ntfs-3g-2015.3.14-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
See comment #4 for more details on how this affects Red Hat Enterprise Linux 7. Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.