Debian Bug report logs -
#567633
race condition in fusermount
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sat, 30 Jan 2010 11:12:04 UTC
Severity: grave
Tags: security
Fixed in versions fuse/2.8.1-1.2, fuse/2.7.4-1.1+lenny1, fuse/2.5.3-4.4+etch4
Done: Giuseppe Iuculano <iuculano@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#567633; Package fuse-utils.
(Sat, 30 Jan 2010 11:12:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bartosz Fenski <fenio@debian.org>.
(Sat, 30 Jan 2010 11:12:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: fuse-utils
Severity: grave
Tags: security
fuse 2.8.2 fixes a race condition if two fusermount -u instances
are run in paralell, which allows local privilege escalation.
This issue was discovered by Dan Rosenberg.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages fuse-utils depends on:
ii adduser 3.112 add and remove users and groups
ii libc6 2.10.2-5 Embedded GNU C Library: Shared lib
pn libfuse2 <none> (no description available)
ii makedev 2.3.1-89 creates device files in /dev
ii sed 4.2.1-6 The GNU sed stream editor
ii udev 150-2 /dev/ and hotplug management daemo
fuse-utils recommends no packages.
fuse-utils suggests no packages.
Information forwarded
to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#567633; Package fuse-utils.
(Sun, 31 Jan 2010 21:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>.
(Sun, 31 Jan 2010 21:39:07 GMT) (full text, mbox, link).
Message #10 received at 567633@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Attached is a debdiff of the changes I made for 2.8.1-1.2 0-day NMU.
Cheers,
Giuseppe
[fuse_2.8.1-1.2.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility.
(Sun, 31 Jan 2010 22:12:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 31 Jan 2010 22:12:05 GMT) (full text, mbox, link).
Message #15 received at 567633-close@bugs.debian.org (full text, mbox, reply):
Source: fuse
Source-Version: 2.8.1-1.2
We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive:
fuse-utils_2.8.1-1.2_i386.deb
to main/f/fuse/fuse-utils_2.8.1-1.2_i386.deb
fuse_2.8.1-1.2.diff.gz
to main/f/fuse/fuse_2.8.1-1.2.diff.gz
fuse_2.8.1-1.2.dsc
to main/f/fuse/fuse_2.8.1-1.2.dsc
libfuse-dev_2.8.1-1.2_i386.deb
to main/f/fuse/libfuse-dev_2.8.1-1.2_i386.deb
libfuse2_2.8.1-1.2_i386.deb
to main/f/fuse/libfuse2_2.8.1-1.2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 567633@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated fuse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 31 Jan 2010 22:23:35 +0100
Source: fuse
Binary: fuse-utils libfuse-dev libfuse2
Architecture: source i386
Version: 2.8.1-1.2
Distribution: unstable
Urgency: high
Maintainer: Bartosz Fenski <fenio@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description:
fuse-utils - Filesystem in USErspace (utilities)
libfuse-dev - Filesystem in USErspace (development files)
libfuse2 - Filesystem in USErspace library
Closes: 567633
Changes:
fuse (2.8.1-1.2) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-3297: race condition in fusermount (Closes: #567633)
Checksums-Sha1:
7bcc7b9947d4a4e48857d5f8073e09f2ead8036a 1209 fuse_2.8.1-1.2.dsc
3b199935eb983b3b720b62393530517e0394c024 18137 fuse_2.8.1-1.2.diff.gz
ea79bf504b11e2fee931173bc4b76aab2a5e676b 18130 fuse-utils_2.8.1-1.2_i386.deb
64bd17d8df6291a15355789460e3e1a76459f714 178144 libfuse-dev_2.8.1-1.2_i386.deb
47386b3f29828dc38933c923a8fa4b06f6827421 135750 libfuse2_2.8.1-1.2_i386.deb
Checksums-Sha256:
64662c8f6d6b470c0124b123cc905e6676db05c26fbd78e6816c2f07aead2670 1209 fuse_2.8.1-1.2.dsc
e34d039d03562defc1653bda1a71acc1bbaf567b64a233dfdcbcbc6331566e1a 18137 fuse_2.8.1-1.2.diff.gz
a3bc5ea3947d8aead9b8ef1cf589996e87d20983934a946d0cc84c05236dba8a 18130 fuse-utils_2.8.1-1.2_i386.deb
fef5bf0aa8d0a2ea18917f0488c876a4e5d6ba6b2a1ff8ae19b99addbbf0a5c0 178144 libfuse-dev_2.8.1-1.2_i386.deb
d9e75f9571ae5b37fd1636d3c2b0a8a509fb767dd2c9bbd19675461e4aec0b08 135750 libfuse2_2.8.1-1.2_i386.deb
Files:
6c3a00441def3436ea3c4dda28b4c670 1209 libs optional fuse_2.8.1-1.2.dsc
0bd1165646ead347967a20bb30cd5412 18137 libs optional fuse_2.8.1-1.2.diff.gz
ad9bc0152474b39589f2e1f1e26de677 18130 utils optional fuse-utils_2.8.1-1.2_i386.deb
bf64fd3fa1bb7ebb5ea94809fc22ac28 178144 libdevel optional libfuse-dev_2.8.1-1.2_i386.deb
e1259b984b72e5fd1fcc4d9a9f9e5111 135750 libs optional libfuse2_2.8.1-1.2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktl+C8ACgkQNxpp46476ao0lACgnfwTE46uQkkTA687pKBABFXY
4iwAn2xlz50nSXO6OMcYU6MBWM9Pcz0W
=izfX
-----END PGP SIGNATURE-----
Reply sent
to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility.
(Wed, 03 Feb 2010 13:54:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 03 Feb 2010 13:54:05 GMT) (full text, mbox, link).
Message #20 received at 567633-close@bugs.debian.org (full text, mbox, reply):
Source: fuse
Source-Version: 2.7.4-1.1+lenny1
We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive:
fuse-utils_2.7.4-1.1+lenny1_i386.deb
to main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_i386.deb
fuse_2.7.4-1.1+lenny1.diff.gz
to main/f/fuse/fuse_2.7.4-1.1+lenny1.diff.gz
fuse_2.7.4-1.1+lenny1.dsc
to main/f/fuse/fuse_2.7.4-1.1+lenny1.dsc
libfuse-dev_2.7.4-1.1+lenny1_i386.deb
to main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_i386.deb
libfuse2_2.7.4-1.1+lenny1_i386.deb
to main/f/fuse/libfuse2_2.7.4-1.1+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 567633@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated fuse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 31 Jan 2010 23:12:19 +0100
Source: fuse
Binary: fuse-utils libfuse-dev libfuse2
Architecture: source i386
Version: 2.7.4-1.1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Bartosz Fenski <fenio@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description:
fuse-utils - Filesystem in USErspace (utilities)
libfuse-dev - Filesystem in USErspace (development files)
libfuse2 - Filesystem in USErspace library
Closes: 567633
Changes:
fuse (2.7.4-1.1+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-3297: race condition in fusermount (Closes: #567633)
Checksums-Sha1:
a894c7aa5d1e2add5729fb51b99f476fab34a63d 1171 fuse_2.7.4-1.1+lenny1.dsc
7a86f5cf39f38e64ccbae093599d64a895b950ba 506658 fuse_2.7.4.orig.tar.gz
75d3afb85eec0665b50dd2794d166598d06850c4 16066 fuse_2.7.4-1.1+lenny1.diff.gz
ec95e23e06cc7d996d7ae5994064fcf505601a5d 17894 fuse-utils_2.7.4-1.1+lenny1_i386.deb
999968079e2527c4b4fde7e4f9866ab883e69576 155244 libfuse-dev_2.7.4-1.1+lenny1_i386.deb
5c9a4729ddbb2540d255210648f6205e1f78d7c0 124622 libfuse2_2.7.4-1.1+lenny1_i386.deb
Checksums-Sha256:
e9a52d51a75aba25788075ba6f4267cd9590e984d50d28d47d620f6b68b58e66 1171 fuse_2.7.4-1.1+lenny1.dsc
c8b070ece5d4e09bd06eea6c28818c718f803d93a4b85bacb9982deb8ded49e6 506658 fuse_2.7.4.orig.tar.gz
9b3bf867995f76438a157d33d2f12ce25daa1365b0d08d2f360223eb7d54c428 16066 fuse_2.7.4-1.1+lenny1.diff.gz
355ac7c0c258f1035cfe19d01b62a0f916af8341d8b6b8e5288f997e096d1f0f 17894 fuse-utils_2.7.4-1.1+lenny1_i386.deb
202cdafb6b40048bcaa85c8bf789696758497300aabffeaeaf6625fe37b000c1 155244 libfuse-dev_2.7.4-1.1+lenny1_i386.deb
e85fda37a49c7a05d9363d04d18a87d9bbc6d6f67372a8d9d05fe04ad75f0c31 124622 libfuse2_2.7.4-1.1+lenny1_i386.deb
Files:
889cfc800cd72828730f8bcbd9c777d9 1171 libs optional fuse_2.7.4-1.1+lenny1.dsc
4879f06570d2225667534c37fea04213 506658 libs optional fuse_2.7.4.orig.tar.gz
f3a61d6fc003f1a2bf3ea9430f2c9a70 16066 libs optional fuse_2.7.4-1.1+lenny1.diff.gz
fc0807ee515177aec7ebf4e90cd28262 17894 utils optional fuse-utils_2.7.4-1.1+lenny1_i386.deb
1d33eb00f1912b128fa225e4032e6272 155244 libdevel optional libfuse-dev_2.7.4-1.1+lenny1_i386.deb
443691cc6cff7d375d3e58fc6ef7b6d0 124622 libs optional libfuse2_2.7.4-1.1+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktmk/cACgkQNxpp46476apTBwCdENfa7beHYimQ/CpUbMxBJw6E
nhsAn1k6qUnexXcpsR1mp3d3KvXj87Pi
=hLYk
-----END PGP SIGNATURE-----
Reply sent
to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility.
(Thu, 18 Feb 2010 07:54:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 18 Feb 2010 07:54:07 GMT) (full text, mbox, link).
Message #25 received at 567633-close@bugs.debian.org (full text, mbox, reply):
Source: fuse
Source-Version: 2.5.3-4.4+etch4
We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive:
fuse-utils_2.5.3-4.4+etch4_i386.deb
to main/f/fuse/fuse-utils_2.5.3-4.4+etch4_i386.deb
fuse_2.5.3-4.4+etch4.diff.gz
to main/f/fuse/fuse_2.5.3-4.4+etch4.diff.gz
fuse_2.5.3-4.4+etch4.dsc
to main/f/fuse/fuse_2.5.3-4.4+etch4.dsc
libfuse-dev_2.5.3-4.4+etch4_i386.deb
to main/f/fuse/libfuse-dev_2.5.3-4.4+etch4_i386.deb
libfuse2_2.5.3-4.4+etch4_i386.deb
to main/f/fuse/libfuse2_2.5.3-4.4+etch4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 567633@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated fuse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 01 Feb 2010 22:49:29 +0100
Source: fuse
Binary: libfuse2 libfuse-dev fuse-utils
Architecture: source i386
Version: 2.5.3-4.4+etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Bartosz Fenski <fenio@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description:
fuse-utils - Filesystem in USErspace (utilities)
libfuse-dev - Filesystem in USErspace (development files)
libfuse2 - Filesystem in USErspace library
Closes: 567633
Changes:
fuse (2.5.3-4.4+etch4) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Backported upstream patch to fix CVE-2009-3297 (Closes: #567633)
Files:
5886da280cc253c8ec2c04f5423238ee 627 libs optional fuse_2.5.3-4.4+etch4.dsc
9c7e8b6606b9f158ae20b8521ba2867c 409443 libs optional fuse_2.5.3.orig.tar.gz
884b1f0d8646b121d133bb62a42e23c3 11785 libs optional fuse_2.5.3-4.4+etch4.diff.gz
cfd1cee4477d2636b8b522a25310c984 58368 utils optional fuse-utils_2.5.3-4.4+etch4_i386.deb
c692a6cb705c58ff1cea736f51bec18c 94356 libdevel optional libfuse-dev_2.5.3-4.4+etch4_i386.deb
55537e1c0561f86fff06f0a1319098de 50812 libs optional libfuse2_2.5.3-4.4+etch4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktnTw8ACgkQNxpp46476apHQwCeIB3KsUlRTh5BG155GGGl+B06
/joAoIfylsmlXn4SZhxY15zaGtCP8F8k
=GczE
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 27 Jun 2010 07:35:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:53:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon