Debian Bug report logs -
#490921
CVE-2008-2232: privilege escalation
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Tue, 15 Jul 2008 11:07:01 UTC
Severity: grave
Tags: security
Found in version afuse/0.2-2
Fixed in version afuse/0.2-3
Done: Varun Hiremath <varun@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Varun Hiremath <varun@debian.org>:
Bug#490921; Package afuse.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Varun Hiremath <varun@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: afuse
Version: 0.2-2
Severity: grave
Tags: security
Justification: user security hole
Hi
A privilege escalation has been reported against afuse.
This issue is CVE-2008-2232.
Here is some additional information:
afuse accepts a command line of the form
afuse /path -o mount_template="mount-script %m %r" \
unmount_template="unmount-script %m %r"
It replaces %m with the mountpoint and %r with the next component of the
pathname being accessed. These interpolated strings are inserted inside
double quotes, but metacharacters within them are not escaped. The
resulting string is then passed to system() and executed by the shell.
Therefore, an attacker with read access to the afuse filesystem can gain
the privileges of its owner, using paths such as
/path/";arbitrary command;"
/path/`arbitrary command`
The patch attached is from the original is from the original reporter
Anders Kaseorg, please honour him in the changelog.
When you fix this issue, please mention the CVE id in your changelog.
Cheers
Steffen
[afuse-template-tokenize.patch (text/x-c++, attachment)]
Reply sent to Varun Hiremath <varun@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 490921-close@bugs.debian.org (full text, mbox, reply):
Source: afuse
Source-Version: 0.2-3
We believe that the bug you reported is fixed in the latest version of
afuse, which is due to be installed in the Debian FTP archive:
afuse_0.2-3.diff.gz
to pool/main/a/afuse/afuse_0.2-3.diff.gz
afuse_0.2-3.dsc
to pool/main/a/afuse/afuse_0.2-3.dsc
afuse_0.2-3_i386.deb
to pool/main/a/afuse/afuse_0.2-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 490921@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Varun Hiremath <varun@debian.org> (supplier of updated afuse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 16 Jul 2008 00:06:59 +0530
Source: afuse
Binary: afuse
Architecture: source i386
Version: 0.2-3
Distribution: unstable
Urgency: high
Maintainer: Varun Hiremath <varun@debian.org>
Changed-By: Varun Hiremath <varun@debian.org>
Description:
afuse - automounting file system implemented in user-space using FUSE
Closes: 490921
Changes:
afuse (0.2-3) unstable; urgency=high
.
* Security fix for CVE-2008-2232: Add afuse-template-tokenize.diff patch
to fix potential privilege escalation caused by unescaped
meta-characters in path. Thanks to Anders Kaseorg for the
patch. (Closes: #490921)
* Bump Standards-Version to 3.8.0
Checksums-Sha1:
48c440510d316104004d60aab98c276e1522a337 1140 afuse_0.2-3.dsc
c01fdb74fc458c780c3181e2f9201a6071181c2d 4411 afuse_0.2-3.diff.gz
aa36e345f8533add58bb4cfa9300dc83fb894dfe 16514 afuse_0.2-3_i386.deb
Checksums-Sha256:
8cdd4f4b0e2fd142ca3cc4a6254b9935d258cc117927767cd52d871269fdc938 1140 afuse_0.2-3.dsc
1755e5196bfc4b590bb7bb31ff67e225557dedf6ebb202d5a2ec40ba6863ec03 4411 afuse_0.2-3.diff.gz
138dd5d294df1abd21e2ca402c57bd13f238fcb615e8c1eec61bb6dbc4895594 16514 afuse_0.2-3_i386.deb
Files:
7ab98f70e5f076ca4fcd66ecf4d6e6e9 1140 utils optional afuse_0.2-3.dsc
9da55e79dcd4682a866bccd616cfe911 4411 utils optional afuse_0.2-3.diff.gz
f1c9159ca9b1f403599873aa41601726 16514 utils optional afuse_0.2-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIfO7wPEFSUMxFMZcRAtQ8AJ4nmeGiuEBEKIv0/gxvcgnElUqJ3ACePnYy
9wzt9UmCfQWlSxY9awSActo=
=+1VA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Aug 2008 07:29:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:11:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon