[Bug 591972] Re: "mount" decodes newlines from /etc/mtab which may confuse 3rd party scripts

Jamie Strandboge jamie at ubuntu.com
Tue Oct 14 22:07:35 UTC 2014 

** Changed in: util-linux (Ubuntu)
     Assignee: Jamie Strandboge (jdstrand) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/591972

Title:
  "mount" decodes newlines from /etc/mtab which may confuse 3rd party
  scripts

Status in “util-linux” package in Ubuntu:
  Confirmed

Bug description:
  fusermount fails to sanitize the names of user-provided filesystems
  when writing to /etc/mtab, allowing unprivileged users to insert
  newline characters into /etc/mtab and, subsequently, insert or modify
  mount options for other devices, leading to denial of service
  conditions, the ability to unmount arbitrary filesystems, or
  potentially escalate privileges.

  As an example, a typical mtab entry for the "hello" example filesystem
  provided with the fuse-utils package looks like this:

  drosenbe at Dan:~/fuse$ ./hello mount/
  drosenbe at Dan:~/fuse$ mount
  ...
  hello on /home/drosenbe/fuse/mount type fuse.hello (rw,nosuid,nodev,user=drosenbe)

  If I simply rename this filesystem to "hello\nthese are my new evil
  mount options\nhello" and mount it, /etc/mtab looks like:

  drosenbe at Dan:~/fuse$ './hello
  these are my new evil mount options
  hello' mount/
  drosenbe at Dan:~/fuse$ mount
  ...
  hello
  these are my new evil mount options
  hello on /home/drosenbe/fuse/fuse-2.8.1/util/folder/mount type fuse.hello
  these are my new evil mount options
  hello (rw,nosuid,nodev,user=drosenbe)

  You may experience some weird behavior with newlines depending on your
  terminal, so I recommend writing a quick C wrapper and calling
  rename() to make sure the filename is correct.

  Note that this is similar to CVE-2005-3531, but differs in that the
  old issue allowed corruption via newlines in the mount point names
  (and was subsequently fixed), but this new issue allows corruption via
  newlines in filesystem names.

  On a related note, it might be a good idea to make fusermount only
  executable by those in the fuse group - on my stock Lucid install,
  it's 4755.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/591972/+subscriptions

More information about the foundations-bugs mailing list