The above two would be required for util-linux-ng in RHEL6. All of the commits would be required for util-linux in RHEL5.
Fedora 14 has the required util-linux-ng version, but needs the fuse fixes backported. SUSE has a patch to fuse to make it use --no-canonicalize and --fake which should fix the issue:
Unfortunately, I've been using RHEL6 to test and with the above patches (to fuse and util-linux-ng) and the proof of concept still works. So I don't think these patches are sufficient to correct the problem, although I'm not sure what is missing.
Tom, would have a chance to look at this and see if perhaps something is missing? FWIW, I cannot reproduce this on F14. Despite there being no group-restrictions on fuse (not sure why that's the case), I get the following error:
sh Test.sh
Using target call count 8
Move triggered at count 8
fusermount: user has no write access to mountpoint /proc
fusermount: could not determine username
(although sometimes that first fusermount error shows:
fusermount: user has no write access to mountpoint /home/vdanen/tmp/CVE-2010-3879/tmp/proc
which is the user-mounted directory).
By contrast, fuse-2.8.5-2.fc13 and util-linux-ng-2.17.2-8.fc13 allow me to reproduce this on F13. The same fuse version is on both, but F14 has (a newer) util-linux-ng-2.18-4.5.fc14.
In addition to the --no-canonicalize option, the --fake option is also required in umount, which is present in 2.18:
http:// git.kernel. org/?p= utils/util- linux-ng/ util-linux- ng.git; a=commitdiff; h=97a3cef4f1
Another relevant util-linux-ng commit is:
http:// git.kernel. org/?p= utils/util- linux-ng/ util-linux- ng.git; a=commitdiff; h=1cf4c20b19 ("spec" still canonicalized)
The above two would be required for util-linux-ng in RHEL6. All of the commits would be required for util-linux in RHEL5.
Fedora 14 has the required util-linux-ng version, but needs the fuse fixes backported. SUSE has a patch to fuse to make it use --no-canonicalize and --fake which should fix the issue:
https:/ /bugzilla. novell. com/attachment. cgi?id= 399921
Unfortunately, I've been using RHEL6 to test and with the above patches (to fuse and util-linux-ng) and the proof of concept still works. So I don't think these patches are sufficient to correct the problem, although I'm not sure what is missing.
Tom, would have a chance to look at this and see if perhaps something is missing? FWIW, I cannot reproduce this on F14. Despite there being no group-restrictions on fuse (not sure why that's the case), I get the following error:
sh Test.sh
Using target call count 8
Move triggered at count 8
fusermount: user has no write access to mountpoint /proc
fusermount: could not determine username
(although sometimes that first fusermount error shows:
fusermount: user has no write access to mountpoint /home/vdanen/ tmp/CVE- 2010-3879/ tmp/proc
which is the user-mounted directory).
By contrast, fuse-2.8.5-2.fc13 and util-linux- ng-2.17. 2-8.fc13 allow me to reproduce this on F13. The same fuse version is on both, but F14 has (a newer) util-linux- ng-2.18- 4.5.fc14.