Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 546
Alerts This Week
Warning Icon 1 546

Red Hat: RHSA-2011:1083-01 Moderate: Fuse Symlink Attack Advisory

red hat
Calendar Grey July 20, 2011
Scroller Redhat Esm H88
Newly revised fuse packages for Red Hat Enterprise Linux 6 have been released, rectifying several security vulnerabilities classified as moderate.
Updated fuse packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259

Summary

FUSE (Filesystem in Userspace) can implement a fully functional file system in a user-space program. These packages provide the mount utility, fusermount, the tool used to mount FUSE file systems.
Multiple flaws were found in the way fusermount handled the mounting and unmounting of directories when symbolic links were present. A local user in the fuse group could use these flaws to unmount file systems, which they would otherwise not be able to unmount and that were not mounted using FUSE, via a symbolic link attack. (CVE-2010-3879, CVE-2011-0541, CVE-2011-0542, CVE-2011-0543)
Note: The util-linux-ng RHBA-2011:0699 update must also be installed to fully correct the above flaws.
All users should upgrade to these updated packages, which contain backported patches to correct these issues.

References

https://access.redhat.com/security/cve/CVE-2010-3879 https://access.redhat.com/security/cve/CVE-2011-0541 https://access.redhat.com/security/cve/CVE-2011-0542 https://access.redhat.com/security/cve/CVE-2011-0543 https://access.redhat.com/security/updates/classification#moderate https://access.redhat.com/errata/RHBA-2011:0699.html

Package List

Red Hat Enterprise Linux Desktop (v. 6):
Source:
i386: fuse-2.8.3-3.el6_1.i686.rpm fuse-debuginfo-2.8.3-3.el6_1.i686.rpm fuse-libs-2.8.3-3.el6_1.i686.rpm
x86_64: fuse-2.8.3-3.el6_1.x86_64.rpm fuse-debuginfo-2.8.3-3.el6_1.i686.rpm fuse-debuginfo-2.8.3-3.el6_1.x86_64.rpm fuse-libs-2.8.3-3.el6_1.i686.rpm fuse-libs-2.8.3-3.el6_1.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
i386: fuse-debuginfo-2.8.3-3.el6_1.i686.rpm fuse-devel-2.8.3-3.el6_1.i686.rpm
x86_64: fuse-debuginfo-2.8.3-3.el6_1.i686.rpm fuse-debuginfo-2.8.3-3.el6_1.x86_64.rpm fuse-devel-2.8.3-3.el6_1.i686.rpm fuse-devel-2.8.3-3.el6_1.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
x86_64: fuse-debuginfo-2.8.3-3.el6_1.x86_64.rpm fuse-libs-2.8.3-3.el6_1.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
x86_64: fuse-2.8.3-3.el6_1.x86_64.rpm fuse-debuginfo-2.8.3-3.el6_1.i686.rpm fuse-debuginfo-2.8.3-3.el6_1.x86_64.rpm fuse-devel-2.8.3-3.el6_1.i686.rpm fuse-devel-2.8.3-3.el6_1.x86_64.rpm fuse-libs-2.8.3-3.el6_1.i686.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
i386: fuse-2.8.3-3.el6_1.i686.rpm fuse-debuginfo-2.8.3-3.el6_1.i686.rpm fuse-devel-2.8.3-3.el6_1.i686.rpm fuse-libs-2.8.3-3.el6_1.i686.rpm
ppc64: fuse-2.8.3-3.el6_1.ppc64.rpm fuse-debuginfo-2.8.3-3.el6_1.ppc.rpm

Read the Full Advisory


Advisory ID: RHSA-2011:1083-01
Product: Red Hat Enterprise Linux
Issue date: 2011-07-20

Topic

Updated fuse packages that fix multiple security issues are now availablefor Red Hat Enterprise Linux 6.The Red Hat Security Response Team has rated this update as having moderatesecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64

Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64

Red Hat Enterprise Linux HPC Node (v. 6) - x86_64

Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64

Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

Bugs Fixed

651183 - CVE-2010-3879 CVE-2011-0541 CVE-2011-0542 CVE-2011-0543 fuse: unprivileged user can unmount arbitrary locations via symlink attack

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.