fuse: CVE-2015-3202

Debian Bug report logs - #786439
fuse: CVE-2015-3202

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: fuse: CVE-2015-3202

Date: Thu, 21 May 2015 19:37:58 +0200

Source: fuse
Version: 2.9.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: fixed -1 2.9.0-2+deb7u2

Hi

See https://marc.info/?l=oss-security&m=143222736930704&w=2 for
details. Updated packages for wheezy-security and jessie-security were
just released as DSA-3266-1.

Regards,
Salvatore

Message #14 received at 786439-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 786439-close@bugs.debian.org

Subject: Bug#786439: fixed in fuse 2.9.3-16

Date: Thu, 21 May 2015 18:19:18 +0000

Source: fuse
Source-Version: 2.9.3-16

We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 786439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated fuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 21 May 2015 17:22:33 +0000
Source: fuse
Binary: fuse fuse-dbg libfuse2 libfuse-dev fuse-udeb libfuse2-udeb
Architecture: source amd64
Version: 2.9.3-16
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 fuse       - Filesystem in Userspace
 fuse-dbg   - Filesystem in Userspace (debug)
 fuse-udeb  - Filesystem in Userspace (udeb)
 libfuse-dev - Filesystem in Userspace (development)
 libfuse2   - Filesystem in Userspace (library)
 libfuse2-udeb - Filesystem in Userspace (library) (udeb)
Closes: 786439
Changes:
 fuse (2.9.3-16) unstable; urgency=high
 .
   * Sync with Ubuntu.
   * Update Standards-Version to 3.9.6 .
 .
   [ Marc Deslauriers <marc.deslauriers@ubuntu.com> ]
   * SECURITY UPDATE: privilege escalation via insecure environment
     - debian/patches/CVE-2015-3202.patch: use execle to run external
       helpers in lib/mount_util.c, util/mount_util.c.
     - CVE-2015-3202 (closes: #786439).
Checksums-Sha1:
 3012923cd92596d4b115e6b847b253b0af22a09a 2097 fuse_2.9.3-16.dsc
 7a8b88d9456947f5969bfbbbf2476b67cd125cec 17428 fuse_2.9.3-16.debian.tar.xz
 f2404a3eb0822631fad8cc17b1f30d84c40b472c 309558 fuse-dbg_2.9.3-16_amd64.deb
 b222a2b598e8765c7c832483e62fc17df93fee47 14520 fuse-udeb_2.9.3-16_amd64.udeb
 dbfe1ba4ccad40a69ff5fbd91e49fb5ba98c91cc 70580 fuse_2.9.3-16_amd64.deb
 cd8a750be36887deb8b0480c097818cbb2d5f7f3 149866 libfuse-dev_2.9.3-16_amd64.deb
 5bf3fcd144257d4eb0a6c88cd4f87a86374f06c6 66598 libfuse2-udeb_2.9.3-16_amd64.udeb
 500c97afdb76e52a0220fbcbfef99845cfb9962d 134708 libfuse2_2.9.3-16_amd64.deb
Checksums-Sha256:
 adcec01bc376c36c0dd2d138eb88287810a56094f01c1d6b4a669378b32c9b20 2097 fuse_2.9.3-16.dsc
 67a0dc508d1dc0e27e6be5f929c9951fb1cf00be2f972db62983f40bff216072 17428 fuse_2.9.3-16.debian.tar.xz
 5dd247ae1a0c1bc4c4149fc6460ac62362bbd81833f14a49d8da0634b2a97a78 309558 fuse-dbg_2.9.3-16_amd64.deb
 9b3ef23787f034156f4566a5060f6c74cb4f51571cbd5fa881da08dfd0b10245 14520 fuse-udeb_2.9.3-16_amd64.udeb
 2eb95f50058e54bbb6a98ca39198a8f5ea1b231701e1f3b067feb43333f54c55 70580 fuse_2.9.3-16_amd64.deb
 bac80b3f11bdcbb6363eac71d9628e27ca8014bbcde2b44855807c41ead7ca43 149866 libfuse-dev_2.9.3-16_amd64.deb
 f4af9ea594caad76bc78bca7e78c2968d66d1fa11b61c74a02cf72b92165fd37 66598 libfuse2-udeb_2.9.3-16_amd64.udeb
 2f079d57c56ef09de20d85e718148d5aa93f402dbc4a1557d189d1b7365484ae 134708 libfuse2_2.9.3-16_amd64.deb
Files:
 3f58f54597c4be935e1e3971f04ffe38 2097 utils optional fuse_2.9.3-16.dsc
 6e6d96b16c754ad0167f63f24ed7635d 17428 utils optional fuse_2.9.3-16.debian.tar.xz
 2a9fbbe849f1220e9948c3d21127f572 309558 debug extra fuse-dbg_2.9.3-16_amd64.deb
 a292e7e7f657bfd975fc0ddbe46676ca 14520 debian-installer optional fuse-udeb_2.9.3-16_amd64.udeb
 ad61efcc1b3ba4256485ce195d063208 70580 utils optional fuse_2.9.3-16_amd64.deb
 859c2a2cd6cfebec831f83dc2bc35d49 149866 libdevel optional libfuse-dev_2.9.3-16_amd64.deb
 48f89e33028ced9e4a93db48f82504b9 66598 debian-installer optional libfuse2-udeb_2.9.3-16_amd64.udeb
 f61b2cd4497b67e26f13679ef9e38952 134708 libs optional libfuse2_2.9.3-16_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVXh45AAoJENzjEOeGTMi/xHsP/0A1XKMunKyc70+vHBWm//Pp
KSwEEQ6pewZmgpC41e1Dwe+POxUZREkxdWoyEnJxBsfEqGziv3f6KVOAn2oUbnr8
TRrYKscvOkcE2PeIarJXJm80VHHkhZseZkPuClfpSr1N2pW0hdF2NlBlwiy3PX9H
5ZgcrUWAs/HHDoUvuqVFhgWxrkH3bbTwz5NRfQ4OjrCkQQaPlW2VONPT2Rl01eG/
4HSoGLfQ6EhsL30792bpwvzjKLKNvMrJVmQOoz5zme/Ibq27LeFPSELpxq6N0VV2
I/HRRQ8Guk4IFApJdFmNsXH5Qog0l7tTSJk9iX0JxudnjGq5em8mOjPEW88CeSXp
hqfeCFy6vqiu7+vPL/XkAknAqVPnJsOV6veucXDBU0XWbMhKojPcG7M3SMa8ruxC
fqimfkUiSxNw+V1qI5/6bhRVWNRQ2Mm1YhGhT7VrD3QAj9EqUhllqxbnuJsl+2zo
vaDMy8ofeeVpJOclV8Ao5Kh9zSkki20fgfdHGvj/WifVMI4IcEVbxHBjL2Ebfnpm
gSeuFqDjNzPAjHYRoLHbrL7OUEbT/BMk91n20j0fZLOECQz7IcqQfVoqJKNBcclV
Me3gZ029sJFEoJWijz9n9hXOaGMzG7NCmWR0dJc+uWp2M3uVqn77qJjbuPK3niTv
1hnJiWxOMHuVKRZHicob
=GNEv
-----END PGP SIGNATURE-----

Message #19 received at 786439@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Laszlo Boszormenyi <gcs@debian.org>

Cc: debian-lts@lists.debian.org, 786439@bugs.debian.org

Subject: squeeze update of fuse?

Date: Fri, 22 May 2015 11:06:50 +0200

Control: found -1 2.8.4-1.1

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of fuse:
https://security-tracker.debian.org/tracker/CVE-2015-3202

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #26 received at 786439@bugs.debian.org (full text, mbox, reply):

From: Santiago Ruano Rincón <santiagorr@riseup.net>

To: Laszlo Boszormenyi <gcs@debian.org>

Cc: debian-lts@lists.debian.org, 786439@bugs.debian.org

Subject: Re: squeeze update of fuse?

Date: Tue, 26 May 2015 18:42:58 +0200

[Message part 1 (text/plain, inline)]

Hi Laszlo,

Please find the attached dpatch to prevent CVE-2015-3202 in squeeze. It
makes lib/mount_util.c use execle instead of execl to run external
helpers.

Please, let me know if you want me to upload a patched package, or if
you want to do it by yourself.

Cheers,

Santiago

[004-CVE-2015-3202.dpatch (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 786439@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Santiago Ruano Rincón <santiagorr@riseup.net>

Cc: debian-lts@lists.debian.org, 786439@bugs.debian.org

Subject: Re: squeeze update of fuse?

Date: Tue, 26 May 2015 21:33:01 +0200

Hi Santiago,

On Tue, May 26, 2015 at 6:42 PM, Santiago Ruano Rincón
<santiagorr@riseup.net> wrote:
> Please find the attached dpatch to prevent CVE-2015-3202 in squeeze. It
> makes lib/mount_util.c use execle instead of execl to run external
> helpers.
>
> Please, let me know if you want me to upload a patched package, or if
> you want to do it by yourself.
 I can do it myself, I've the build system for Squeeze as well. My
only question if it should be an NMU or am I allowed to change the
maintainer? At least the former would be a bit strange for me as I'm
the actual maintainer, why should I NMU it?

Thanks,
Laszlo/GCS

Message #36 received at 786439@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: Santiago Ruano Rincón <santiagorr@riseup.net>, debian-lts@lists.debian.org, 786439@bugs.debian.org

Subject: Re: squeeze update of fuse?

Date: Wed, 27 May 2015 09:26:50 +0200

On Tue, 26 May 2015, László Böszörményi (GCS) wrote:
>  I can do it myself, I've the build system for Squeeze as well. My
> only question if it should be an NMU or am I allowed to change the
> maintainer? At least the former would be a bit strange for me as I'm
> the actual maintainer, why should I NMU it?

Feel free to update/fix the Maintainer field too.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #41 received at 786439@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: "László Böszörményi (GCS)" <gcs@debian.org>

Cc: Santiago Ruano Rincón <santiagorr@riseup.net>, debian-lts@lists.debian.org, 786439@bugs.debian.org

Subject: Re: squeeze update of fuse?

Date: Sat, 30 May 2015 14:37:36 +0000

[Message part 1 (text/plain, inline)]

Hi László, hi Santiago,

On  Di 26 Mai 2015 21:33:01 CEST, László Böszörményi (GCS) wrote:

> Hi Santiago,
>
> On Tue, May 26, 2015 at 6:42 PM, Santiago Ruano Rincón
> <santiagorr@riseup.net> wrote:
>> Please find the attached dpatch to prevent CVE-2015-3202 in squeeze. It
>> makes lib/mount_util.c use execle instead of execl to run external
>> helpers.
>>
>> Please, let me know if you want me to upload a patched package, or if
>> you want to do it by yourself.
>  I can do it myself, I've the build system for Squeeze as well. My
> only question if it should be an NMU or am I allowed to change the
> maintainer? At least the former would be a bit strange for me as I'm
> the actual maintainer, why should I NMU it?

@László: Just a heads up from the LTS team... Will you be doing the  
upload of fuse to squeeze-lts in the next days or do you need  
assistance with it (e.g. the actual upload, but also: writing the DLA  
mail, handle the update of the secure-testing SVN repo, etc.)?

@Santiago: please put your name in data/dla-needed.txt when starting  
to work on an LTS package update. I put my name in for fuse yesterday  
and realized just now, that you already started working on fuse for  
squeeze-lts (which is great!!!).

Regards,
Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.