[Secure-testing-team] Bug#602333: /usr/bin/fusermount: fusermount allows unmount any filesystem

Paul Szabo paul.szabo at sydney.edu.au
Wed Nov 3 20:24:56 UTC 2010 

Package: fuse-utils
Version: 2.7.4-1.1+lenny1
Severity: grave
File: /usr/bin/fusermount
Tags: security
Justification: user security hole


As reported on a public mailing list, fusermount in Ubuntu allows
unprivileged users to unmount anything. I wonder if Debian is affected.
Relevant files attached below.

Cheers,

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-pk04.00-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages fuse-utils depends on:
ii  adduser                 3.110            add and remove users and groups
ii  libc6                   2.7-18lenny6     GNU C Library: Shared libraries
ii  libfuse2                2.7.4-1.1+lenny1 Filesystem in USErspace library
ii  makedev                 2.3.1-88         creates device files in /dev
ii  sed                     4.1.5-6          The GNU sed stream editor
ii  udev                    0.125-7+lenny3   /dev/ and hotplug management daemo

fuse-utils recommends no packages.

fuse-utils suggests no packages.

-- no debconf information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20101104/8345b674/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: www.halfdog.net:Security:FuseTimerace:index.html
Type: application/xml
Size: 2747 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20101104/8345b674/attachment-0001.xml>
-------------- next part --------------
/** Minimal userspace file system demo, compile using
 *  gcc -D_FILE_OFFSET_BITS=64 -lfuse -Wall FuseMinimal.c -o FuseMinimal
 *
 *  Copyright (c) halfdog <me at halfdog.net>
 *  
 *  This software is provided by the copyright owner "as is" to
 *  study it but without any expressed or implied warranties, that
 *  this software is fit for any other purpose. If you try to compile
 *  or run it, you do it solely on your own risk and the copyright
 *  owner shall not be liable for any direct or indirect damage
 *  caused by this software.
 */

#define FUSE_USE_VERSION 26

#include <errno.h>
#include <fuse.h>
#include <string.h>

static int io_getattr(const char *path, struct stat *stbuf) {
  int res=-1;
  memset(stbuf, 0, sizeof(struct stat));
  if (strcmp(path, "/") == 0) {
    stbuf->st_mode=S_IFDIR|0755;
    stbuf->st_nlink=2;
    res=0;
  }
  return(res);
}


static int io_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
    off_t offset, struct fuse_file_info *fi) {
  (void) offset;
  (void) fi;
  if(strcmp(path, "/")!=0) return -ENOENT;

  filler(buf, ".", NULL, 0);
  filler(buf, "..", NULL, 0);
  return 0;
}

static struct fuse_operations hello_oper = {
  .getattr	= io_getattr,
  .readdir	= io_readdir,
};

int main(int argc, char *argv[]) {
  return fuse_main(argc, argv, &hello_oper, NULL);
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DirModifyInotify.c
Type: text/x-pascal
Size: 3393 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20101104/8345b674/attachment-0001.pas>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Test.sh
Type: text/x-shellscript
Size: 659 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20101104/8345b674/attachment-0001.bin>

More information about the Secure-testing-team mailing list