Fixes CVE-2018-10906 - In fuse before versions 2.9.8 and 3.x before 3.2.5,
fusermount is vulnerable to a restriction bypass when SELinux is active.
This allows non-root users to mount a FUSE file system with the
'allow_other' mount option regardless of whether 'user_allow_other' is set
in the fuse configuration. An attacker may use this flaw to mount a FUSE
file system, accessible by other users, and trick them into accessing files
on that file system, possibly causing Denial of Service or other unspecified
effects.
And additionally:
- libfuse no longer segfaults when fuse_interrupted() is called outside the
event loop.
- The fusermount binary has been hardened in several ways to reduce
potential attack surface. Most importantly, mountpoints and mount options
must now match a hard-coded whitelist. It is expected that this whitelist
covers all regular use-cases.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The project moved to github, so point the homepage and download URL
there.
[Thomas:
- Remove comment "Switch to github helper on bump" since we clearly
don't want to switch to the github helper if they continue to
upload release tarballs.
- Adjust comment in the .hash file for clarity.]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-3202 - fix exec environment for mount and umount.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
