[Buildroot] [PATCH] libfuse: security bump to version 2.9.8

Peter Korsgaard peter at korsgaard.com
Fri Aug 17 14:54:15 UTC 2018


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes CVE-2018-10906 - In fuse before versions 2.9.8 and 3.x before 3.2.5,
 > fusermount is vulnerable to a restriction bypass when SELinux is active.
 > This allows non-root users to mount a FUSE file system with the
 > 'allow_other' mount option regardless of whether 'user_allow_other' is set
 > in the fuse configuration.  An attacker may use this flaw to mount a FUSE
 > file system, accessible by other users, and trick them into accessing files
 > on that file system, possibly causing Denial of Service or other unspecified
 > effects.

 > And additionally:

 > - libfuse no longer segfaults when fuse_interrupted() is called outside the
 >   event loop.

 > - The fusermount binary has been hardened in several ways to reduce
 >   potential attack surface.  Most importantly, mountpoints and mount options
 >   must now match a hard-coded whitelist.  It is expected that this whitelist
 >   covers all regular use-cases.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list