Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 645
    • Issues 645
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 174
    • Merge Requests 174
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #9151

Closed
Open
Opened Jul 30, 2018 by Alicha CH@alichaReporter
  • Report abuse
  • New issue
Report abuse New issue

[3.9] fuse: bypass of the "user_allow_other" restriction when SELinux is active (CVE-2018-10906)

In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is
vulnerable to a restriction bypass when SELinux is active. This allows
non-root users to mount a FUSE file system with the ‘allow_other’ mount
option regardless of whether ‘user_allow_other’ is set in the fuse
configuration. An attacker may use this flaw to mount a FUSE file system,
accessible by other users, and trick them into accessing files on that file
system, possibly causing Denial of Service or other unspecified effects.

References:

http://openwall.com/lists/oss-security/2018/07/24/1
https://nvd.nist.gov/vuln/detail/CVE-2018-10906

Patches:

https://github.com/libfuse/libfuse/commit/28bdae3d113ef479c1660a581ef720cdc33bf466
https://github.com/libfuse/libfuse/commit/5018a0c016495155ee598b7e0167b43d5d902414

(from redmine: issue id 9151, created on 2018-07-30, closed on 2018-07-31)

  • Relations:
    • copied_to #9150 (closed)
    • parent #9150 (closed)
  • Changesets:
    • Revision cab094ae by Natanael Copa on 2018-07-30T16:03:32Z:
main/fuse: security upgrade to 2.9.8 (CVE-2018-10906)

fixes #9151
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
3.9.0
Milestone
3.9.0 (Past due)
Assign milestone
Time tracking
None
Due date
None
3
Labels
Normal tag:security type:bug
Assign labels
  • View project labels
Reference: alpine/aports#9151