DSA-3451-1 fuse -- fuseID: oval:org.secpod.oval:def:602345 | Date: (C)2016-01-29 (M)2021-09-11 |
Class: PATCH | Family: unix |
Jann Horn discovered a vulnerability in the fuse package in Debian. The fuse package ships an udev rules adjusting permissions on the related /dev/cuse character device, making it world writable. This permits a local, unprivileged attacker to create an arbitrarily-named character device in /dev and modify the memory of any process that opens it and performs an ioctl on it. This in turn might allow a local, unprivileged attacker to escalate to root privileges.