[Buildroot] [PATCH] libfuse: security bump to version 2.9.8
Peter Korsgaard
peter at korsgaard.com
Fri Aug 17 14:54:15 UTC 2018
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes CVE-2018-10906 - In fuse before versions 2.9.8 and 3.x before 3.2.5,
> fusermount is vulnerable to a restriction bypass when SELinux is active.
> This allows non-root users to mount a FUSE file system with the
> 'allow_other' mount option regardless of whether 'user_allow_other' is set
> in the fuse configuration. An attacker may use this flaw to mount a FUSE
> file system, accessible by other users, and trick them into accessing files
> on that file system, possibly causing Denial of Service or other unspecified
> effects.
> And additionally:
> - libfuse no longer segfaults when fuse_interrupted() is called outside the
> event loop.
> - The fusermount binary has been hardened in several ways to reduce
> potential attack surface. Most importantly, mountpoints and mount options
> must now match a hard-coded whitelist. It is expected that this whitelist
> covers all regular use-cases.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list