touch-packages team mailing list archive

Thread
Date

[Bug 591972] Re: "mount" decodes newlines from /etc/mtab which may confuse 3rd party scripts

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Tue, 14 Oct 2014 22:07:35 -0000
Reply-to: Bug 591972 <591972@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: util-linux (Ubuntu)
     Assignee: Jamie Strandboge (jdstrand) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/591972

Title:
  "mount" decodes newlines from /etc/mtab which may confuse 3rd party
  scripts

Status in “util-linux” package in Ubuntu:
  Confirmed

Bug description:
  fusermount fails to sanitize the names of user-provided filesystems
  when writing to /etc/mtab, allowing unprivileged users to insert
  newline characters into /etc/mtab and, subsequently, insert or modify
  mount options for other devices, leading to denial of service
  conditions, the ability to unmount arbitrary filesystems, or
  potentially escalate privileges.

  As an example, a typical mtab entry for the "hello" example filesystem
  provided with the fuse-utils package looks like this:

  drosenbe@Dan:~/fuse$ ./hello mount/
  drosenbe@Dan:~/fuse$ mount
  ...
  hello on /home/drosenbe/fuse/mount type fuse.hello (rw,nosuid,nodev,user=drosenbe)

  If I simply rename this filesystem to "hello\nthese are my new evil
  mount options\nhello" and mount it, /etc/mtab looks like:

  drosenbe@Dan:~/fuse$ './hello
  these are my new evil mount options
  hello' mount/
  drosenbe@Dan:~/fuse$ mount
  ...
  hello
  these are my new evil mount options
  hello on /home/drosenbe/fuse/fuse-2.8.1/util/folder/mount type fuse.hello
  these are my new evil mount options
  hello (rw,nosuid,nodev,user=drosenbe)

  You may experience some weird behavior with newlines depending on your
  terminal, so I recommend writing a quick C wrapper and calling
  rename() to make sure the filename is correct.

  Note that this is similar to CVE-2005-3531, but differs in that the
  old issue allowed corruption via newlines in the mount point names
  (and was subsequently fixed), but this new issue allows corruption via
  newlines in filesystem names.

  On a related note, it might be a good idea to make fusermount only
  executable by those in the fuse group - on my stock Lucid install,
  it's 4755.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/591972/+subscriptions