Fuse (fusermount) suffers from a local privilege escalation vulnerability. This is a proof of concept for Ubuntu.
b50e101f0fd8a29c70f51dd4db578306c1a77f5520e6a8b981293987baf4ba67
Debian Linux Security Advisory 4257-1 - Jann Horn discovered that FUSE, a Filesystem in USErspace, allows the bypass of the 'user_allow_other' restriction when SELinux is active (including in permissive mode). A local user can take advantage of this flaw in the fusermount utility to bypass the system configuration and mount a FUSE filesystem with the 'allow_other' mount option.
6ae379afa1bdb3daca80e53b902623ac0af07b819114316f385107c5a5c45863
It is possible to bypass fusermount's restrictions on the use of the "allow_other" mount option as follows if SELinux is active.
f8811f70025a2c7cb736546cf68f180165bf220f896460ba119cccb6e37d586c
Gentoo Linux Security Advisory 201603-4 - The fusermount binary in FUSE does not properly clear the environment before invoking mount or umount as root that allows a local user to overwrite arbitrary files. Versions less than 2.9.4 are affected.
7f349aeb4d93dedf1af9154ffe4df03c5bbc6168335bf94f5ad2a86606f8a31f
Red Hat Security Advisory 2011-1083-01 - FUSE can implement a fully functional file system in a user-space program. These packages provide the mount utility, fusermount, the tool used to mount FUSE file systems. Multiple flaws were found in the way fusermount handled the mounting and unmounting of directories when symbolic links were present. A local user in the fuse group could use these flaws to unmount file systems, which they would otherwise not be able to unmount and that were not mounted using FUSE, via a symbolic link attack.
570a3ac9c4d8ba47567744f3a2508ef5c64019b15a6120d40f7b53ce18ed1cd0
At least on ubuntu lucid, the fusermount tool contains a timerace mounting a user filesystem and updating mtab, thus mtab entries with arbitrary paths can be created. Crafted mtab entries can then be used to unmount live parts of the filesystem. Proof of concept code included.
042dadda335de672c21630853a0e117fb84f2a7885909c01be5c0e5ea8732cd2
Gentoo Linux Security Advisory GLSA 200511-17 - Thomas Biege discovered that fusermount fails to securely handle special characters specified in mount points. Versions less than 2.4.1-r1 are affected.
c252bb62a986e19acfbebfd92e33923b03bb4904985592643fe4b7762aa8fb41