CVE-2005-3531: fusermount may corrupt /etc/mtab

Debian Bug report logs - #340398
CVE-2005-3531: fusermount may corrupt /etc/mtab

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2005-3531: fusermount may corrupt /etc/mtab

Date: Wed, 23 Nov 2005 10:17:09 +0100

Package: fuse-utils
Version: 2.4.0-1
Severity: grave
Tags: security
Justification: user security hole

Thomas Biege from the SuSE security team discovered that special chars
such as "\n", "\t" and "\\" are misinterpreted by fusermount, which
could potentially allow a user from the "fuse" group (or whatever group
has been chosen) to manipulate mount options.

A patch from Miklos Szeredi can be found at 
http://bugs.gentoo.org/attachment.cgi?id=73173

This has been assigned CVE-2005-3531, please mention it in the changelog
when fixing it.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages fuse-utils depends on:
ii  adduser                       3.79       Add and remove users and groups
ii  debconf [debconf-2.0]         1.4.59     Debian configuration management sy
ii  libc6                         2.3.5-8    GNU C Library: Shared libraries an
ii  sed                           4.1.4-4    The GNU sed stream editor
ii  ucf                           2.003      Update Configuration File: preserv

Versions of packages fuse-utils recommends:
pn  fuse-source                   <none>     (no description available)

-- debconf information excluded

Message #12 received at 340398-close@bugs.debian.org (full text, mbox, reply):

From: Bartosz Fenski <fenio@debian.org>

To: 340398-close@bugs.debian.org

Subject: Bug#340398: fixed in fuse 2.5.1-1

Date: Wed, 01 Feb 2006 17:02:15 -0800

Source: fuse
Source-Version: 2.5.1-1

We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive:

fuse-source_2.5.1-1_all.deb
  to pool/main/f/fuse/fuse-source_2.5.1-1_all.deb
fuse-utils_2.5.1-1_i386.deb
  to pool/main/f/fuse/fuse-utils_2.5.1-1_i386.deb
fuse_2.5.1-1.diff.gz
  to pool/main/f/fuse/fuse_2.5.1-1.diff.gz
fuse_2.5.1-1.dsc
  to pool/main/f/fuse/fuse_2.5.1-1.dsc
fuse_2.5.1.orig.tar.gz
  to pool/main/f/fuse/fuse_2.5.1.orig.tar.gz
libfuse-dev_2.5.1-1_i386.deb
  to pool/main/f/fuse/libfuse-dev_2.5.1-1_i386.deb
libfuse2_2.5.1-1_i386.deb
  to pool/main/f/fuse/libfuse2_2.5.1-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 340398@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bartosz Fenski <fenio@debian.org> (supplier of updated fuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  2 Feb 2006 01:08:40 +0100
Source: fuse
Binary: libfuse2 libfuse-dev fuse-utils fuse-source
Architecture: source i386 all
Version: 2.5.1-1
Distribution: unstable
Urgency: low
Maintainer: Bartosz Fenski <fenio@debian.org>
Changed-By: Bartosz Fenski <fenio@debian.org>
Description: 
 fuse-source - Filesystem in USErspace (source for kernel module)
 fuse-utils - Filesystem in USErspace (utilities)
 libfuse-dev - Filesystem in USErspace (development files)
 libfuse2   - Filesystem in USErspace library
Closes: 297505 298829 306281 307624 307627 310964 326742 334381 334639 337568 337572 339688 340398 340796 342826 343702 350659
Changes: 
 fuse (2.5.1-1) unstable; urgency=low
 .
   * New upstream version. (Closes: #350659)
   * The 'Goodbye debconf' release.
     - reorganization of all packaging scripts to get rid of debconf stuff.
     - doesn't handle creation of group anymore, so
       (Closes: #307627, #342826, #310964, #306281, #307624)
   * ACK previous NMU. (Closes: #339688, #340398, #298829)
   * Handles creation/remove of fuse device. (Closes: #334639, #297505)
   * Since now fuse-source depends on either module-assistant
     or kernel-package. (Closes: #326742)
   * Includes mount.fuse script. (Closes: #343702, #334381)
   * Doesn't use debconf templates anymore. (Closes: #337568, #337572, #340796)
Files: 
 aa1a6c7ccc0ea86df31cd9cffad7a5ef 625 libs optional fuse_2.5.1-1.dsc
 c752f881c8b6586ce086fc8df3fb16e8 407660 libs optional fuse_2.5.1.orig.tar.gz
 de1fc9a564ff58fbe56555bb7ff06f1c 7730 libs optional fuse_2.5.1-1.diff.gz
 3809b9ef3570c0f3ef30824912d4eb6f 54884 utils optional fuse-utils_2.5.1-1_i386.deb
 b1cb86c3f4f757fdb13c0d7e8e445ca8 92192 libdevel optional libfuse-dev_2.5.1-1_i386.deb
 ce3e7dfea4a8a139e15cd9d013d5b126 48918 libs optional libfuse2_2.5.1-1_i386.deb
 7775d2543fae18baf246a00936f054e2 101684 utils optional fuse-source_2.5.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD4VgJhQui3hP+/EARAmQHAJwIiP8ym2Xi0K7NjHwnbGd9rjMZYgCgyY1P
UGGsyiCVPPzNX96vKlaUxxQ=
=5TCq
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.