fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mounts debugging feature.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Debian_linux | Debian | 8.0 (including) | 8.0 (including) |
Fuse | Ubuntu | devel | * |
Fuse | Ubuntu | precise | * |
Fuse | Ubuntu | trusty | * |
Fuse | Ubuntu | utopic | * |
Fuse | Ubuntu | vivid | * |
Ntfs-3g | Ubuntu | devel | * |
Ntfs-3g | Ubuntu | vivid | * |