path: root/meta-networking
diff options
authorJagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>2018-08-23 16:51:23 +0530
committerArmin Kuster <akuster808@gmail.com>2018-09-04 07:36:55 -0700
commit0fec2df04070651d1b7a6b3d4236e1fdd0af3974 (patch)
treec46d702abccc8a12f552d2a42787f6174e233c1e /meta-networking
parent086be3c7ec949aa9d5059c0e00a34e42711d66af (diff)
fuse: CVE-2018-10906
* CVE-2018-10906-1: fusermount: don't feed "escaped commas" into mount options The old code permits the following behavior: $ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument) However, backslashes do not have any special meaning for the kernel here. As it happens, you can't abuse this because there is no FUSE mount option that takes a string value that can contain backslashes; but this is very brittle. Don't interpret "escape characters" in places where they don't work. * CVE-2018-10906-2: fusermount: refuse unknown options Blacklists are notoriously fragile; especially if the kernel wishes to add some security-critical mount option at a later date, all existing systems with older versions of fusermount installed will suddenly have a security problem. Additionally, if the kernel's option parsing became a tiny bit laxer, the blacklist could probably be bypassed. Whitelist known-harmless flags instead, even if it's slightly more inconvenient. Affects fuse < 2.9.8 and fuse < 3.2.5 Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking')
0 files changed, 0 insertions, 0 deletions