Bugzilla – Bug 963182
VUL-0: CVE-2016-1233 fuse: udev rules made world-writable
Last modified: 2016-01-22 12:18:49 UTC
http://seclists.org/bugtraq/2016/Jan/106 Jann Horn discovered a vulnerability in the fuse (Filesystem in Userspace) package in Debian. The fuse package ships an udev rules adjusting permissions on the related /dev/cuse character device, making it world writable. This permits a local, unprivileged attacker to create an arbitrarily-named character device in /dev and modify the memory of any process that opens it and performs an ioctl on it. This in turn might allow a local, unprivileged attacker to escalate to root privileges. References: https://bugzilla.redhat.com/show_bug.cgi?id=1301011 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1233 http://www.debian.org/security/2016/dsa-3451 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1233.html
RH rating is off. Rated as 6.0 AV:L/AC:H/Au:S/C:C/I:C/A:C Issue is Debian package specific. Does not affect SUSE or openSUSE packages as we do not ship the bad udev rule. Closing as resolved - invalid. SUSE permissions: crw------- 1 root root 10, 203 Jan 22 11:16 /dev/cuse Quoting relevant parts of the debian diff. diff -ru debian-2.9.4/changelog debian-2.9.5/changelog --- debian-2.9.4/changelog 2015-06-09 22:55:30.000000000 +0200 +++ debian-2.9.5/changelog 2016-01-21 21:25:22.000000000 +0100 @@ -1,3 +1,12 @@ +fuse (2.9.5-1) unstable; urgency=high + + * New upstream release. + * CVE-2016-1233: Fix permissions on cuse character device to be + accessible by root only. + * Keep rebuildable. + + -- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 17 Jan 2016 16:47:21 +0100 + fuse (2.9.4-1) unstable; urgency=low * New upstream release. Only in debian-2.9.5: clean diff -ru debian-2.9.4/control debian-2.9.5/control --- debian-2.9.4/control 2015-05-21 19:32:43.000000000 +0200 +++ debian-2.9.5/control 2016-01-17 16:52:46.000000000 +0100 @@ -6,6 +6,7 @@ debhelper (>= 9), dh-autoreconf, libselinux-dev [linux-any], + gettext Standards-Version: 3.9.6 Homepage: http://fuse.sourceforge.net/ #Vcs-Browser: http://daniel-baumann.ch/gitweb/?p=debian/packages/fuse.git diff -ru debian-2.9.4/fuse.postinst debian-2.9.5/fuse.postinst --- debian-2.9.4/fuse.postinst 2015-06-09 23:00:50.000000000 +0200 +++ debian-2.9.5/fuse.postinst 2016-01-17 17:21:13.000000000 +0100 @@ -4,6 +4,10 @@ case "${1}" in configure) + if [ -c /dev/cuse ] + then + chmod 0600 /dev/cuse > /dev/null 2>&1 + fi if ! dpkg-statoverride --list /bin/fusermount > /dev/null 2>&1 then chmod 4755 /bin/fusermount diff -ru debian-2.9.4/fuse.udev debian-2.9.5/fuse.udev --- debian-2.9.4/fuse.udev 2014-06-20 08:23:50.000000000 +0200 +++ debian-2.9.5/fuse.udev 2016-01-20 19:46:11.000000000 +0100 @@ -1,4 +1,7 @@ KERNEL=="fuse", MODE="0666", OPTIONS+="static_node=fuse" ACTION=="add", SUBSYSTEM=="module", KERNEL=="fuse", RUN+="/bin/mount -t fusectl fusectl /sys/fs/fuse/connections" -KERNEL=="cuse", MODE="0666", OPTIONS+="static_node=cuse" +# 0600 is the default mode set by udev +# don't let non-root users access it or you risk memory rw attack on +# processes using this device +#KERNEL=="cuse", MODE="0600", OPTIONS+="static_node=cuse"