Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1224103 - (CVE-2015-3202) CVE-2015-3202 fuse: incorrect filtering of environment variables leading to privilege escalation
CVE-2015-3202 fuse: incorrect filtering of environment variables leading to p...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20150521,reported=2...
: Security
Depends On: 1224104 1224105 1224108
Blocks: 1224110
  Show dependency treegraph
 
Reported: 2015-05-22 04:32 EDT by Martin Prpič
Modified: 2015-08-24 09:23 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that fusermount failed to properly sanitize its environment before executing mount and umount commands. A local user could possibly use this flaw to escalate their privileges on the system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 19:11:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
CVE-2015-3202.patch (1.75 KB, text/plain)
2015-05-22 04:33 EDT, Martin Prpič 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Martin Prpič 2015-05-22 04:32:27 EDT 
It was foudn that FUSE, a Filesystem in USErspace, did not properly sanitize environment variables before executing a mount or umount operation with elevated privileges. A local attacker could use this flaw to overwrite arbitrary files on the system or escalate their privileges.

Additional details:

http://seclists.org/oss-sec/2015/q2/520

Patch proposed on distros is attached.
Comment 1 Martin Prpič 2015-05-22 04:33:13 EDT 
Created attachment 1028606 [details]
CVE-2015-3202.patch
Comment 2 Martin Prpič 2015-05-22 04:33:54 EDT 
Created ntfs-3g tracking bugs for this issue:

Affects: fedora-all [bug 1224105]
Affects: epel-all [bug 1224108]
Comment 3 Martin Prpič 2015-05-22 04:33:56 EDT 
Created fuse tracking bugs for this issue:

Affects: fedora-all [bug 1224104]
Comment 4 Tomas Hoger 2015-05-25 16:12:05 EDT 
Upstream commit:
http://sourceforge.net/p/fuse/fuse/ci/fe2d96/

On affected systems, this issue would allow local users to escalate their privileges to root, and hence would be rated as Important impact issue.

Red Hat Enterprise Linux is not affected by the published attack.

On Red Hat Enterprise Linux 7, /etc/mtab is not a regular file but a symlink to /proc/self/mtab.  That prevents fusermount from running mount and umount (see mtab_needs_update() function).  Even though mount and umount in Red Hat Enterprise Linux 7 use libmount that supports reading LIBMOUNT_MTAB environment variable, they are not run by fusermount.  Similar applies to current Fedora versions.

On Red Hat Enterprise Linux 5 and 6, /etc/mtab is regular file and hence fusermount runs mount and umount commands.  However, mount and umount in Red Hat Enterprise Linux 6 and earlier do not use libmount (on Red Hat Enterprise Linux 6, libmount is part of the util-linux-ng packages, but not used by mount and umount commands; on Red Hat Enterprise Linux 5, the util-linux packages do not contain libmount library).

Red Hat Enterprise Linux 7 Hypervisor contains the libguestfs-winsupport packages, which includes ntfs-3g.  However, ntfs-3g is not installed as setuid root and hence there is no privilege escalation risk.
Comment 10 Fedora Update System 2015-06-01 13:01:47 EDT 
ntfs-3g-2015.3.14-2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-06-05 19:54:21 EDT 
ntfs-3g-2015.3.14-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2015-06-07 11:59:27 EDT 
fuse-2.9.4-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2015-06-09 11:08:17 EDT 
fuse-2.9.4-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2015-06-10 15:18:13 EDT 
ntfs-3g-2015.3.14-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2015-06-11 14:45:18 EDT 
ntfs-3g-2015.3.14-2.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2015-06-13 02:34:31 EDT 
fuse-2.9.4-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2015-06-13 02:37:15 EDT 
ntfs-3g-2015.3.14-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Vincent Danen 2015-08-22 19:11:36 EDT 
See comment #4 for more details on how this affects Red Hat Enterprise Linux 7.

Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.