Debian Bug report logs -
#779047
Two security issues
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 23 Feb 2015 17:51:01 UTC
Severity: grave
Tags: jessie, security, sid, squeeze, stretch, upstream, wheezy
Found in versions fuseiso/20070708-1, fuseiso/20070708-3.1
Fixed in versions fuseiso/20070708-2+deb6u1, fuseiso/20070708-3.2, fuseiso/20070708-3+deb7u1
Done: Thorsten Alteholz <debian@alteholz.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Paleino <dapal@debian.org>:
Bug#779047; Package fuseiso.
(Mon, 23 Feb 2015 17:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Paleino <dapal@debian.org>.
(Mon, 23 Feb 2015 17:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: fuseiso
Severity: grave
Tags: security
Hi,
two vulnerabilities have been found in fuseiso:
https://bugzilla.redhat.com/show_bug.cgi?id=863102
https://bugzilla.redhat.com/show_bug.cgi?id=863091
CVE IDs have been requested, but are not yet assigned:
http://www.openwall.com/lists/oss-security/2015/02/06/7
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, David Paleino <dapal@debian.org>:
Bug#779047; Package fuseiso.
(Wed, 11 Mar 2015 22:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to David Paleino <dapal@debian.org>.
(Wed, 11 Mar 2015 22:09:04 GMT) (full text, mbox, link).
Message #10 received at 779047@bugs.debian.org (full text, mbox, reply):
Hi,
On Mon, Feb 23, 2015 at 06:46:37PM +0100, Moritz Muehlenhoff wrote:
> Package: fuseiso
> Severity: grave
> Tags: security
>
> Hi,
> two vulnerabilities have been found in fuseiso:
> https://bugzilla.redhat.com/show_bug.cgi?id=863102
> https://bugzilla.redhat.com/show_bug.cgi?id=863091
Additional information is provided in additionally referenced bugs in
the Red Hat Bugzilla at
https://bugzilla.redhat.com/show_bug.cgi?id=861358
and
https://bugzilla.redhat.com/show_bug.cgi?id=862211
Regards,
Salvatore
Marked as found in versions fuseiso/20070708-3.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Mar 2015 22:09:11 GMT) (full text, mbox, link).
Marked as found in versions fuseiso/20070708-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Mar 2015 22:09:16 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Mar 2015 22:15:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, David Paleino <dapal@debian.org>:
Bug#779047; Package fuseiso.
(Thu, 01 Oct 2015 08:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to David Paleino <dapal@debian.org>.
(Thu, 01 Oct 2015 08:48:03 GMT) (full text, mbox, link).
Message #21 received at 779047@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi all,
On Do 16 Jul 2015 20:41:43 CEST, Ben Hutchings wrote:
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Attached you find a .debdiff for fuseiso in unstable adding two
patches to fuseiso, that hopefully fix the reported issues [1,2].
Under [1,2] Florian Weimer from Redhat offers two ISO images that
reproduce the observed issues. I am still waiting for Florian Weimer
to get back to me about those ISO images (one ISO arrived here in a
corrupt state, the other ISO I have only just asked for).
I have tested my changes on the code in respect to potential
breakages, ISO images mount well here with the changes applied. But
the real test will happen, once I have the reproducer ISO images at
hand.
Greets,
Mike
[1] https://bugzilla.redhat.com/show_bug.cgi?id=862211
[2] https://bugzilla.redhat.com/show_bug.cgi?id=861358
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[fuseiso_20070708-3.1_20070708-3.2.debdiff (text/plain, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent
to Mike Gabriel <sunweaver@debian.org>:
You have taken responsibility.
(Thu, 01 Oct 2015 09:36:16 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 01 Oct 2015 09:36:16 GMT) (full text, mbox, link).
Message #26 received at 779047-close@bugs.debian.org (full text, mbox, reply):
Source: fuseiso
Source-Version: 20070708-2+deb6u1
We believe that the bug you reported is fixed in the latest version of
fuseiso, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 779047@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated fuseiso package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 01 Oct 2015 05:52:08 +0200
Source: fuseiso
Binary: fuseiso
Architecture: source amd64
Version: 20070708-2+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: David Paleino <dapal@debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description:
fuseiso - FUSE module to mount ISO filesystem images
Closes: 779047
Changes:
fuseiso (20070708-2+deb6u1) squeeze-lts; urgency=medium
.
* Non-maintainer upload by the Debian LTS Team.
* debian/patches (Closes: #779047):
+ Add 02-prevent-buffer-overflow.patch. Prevent stack-based buffer overflow
when concatenating strings to an absolute path name. Prevention is done
by checking that the result will stay under the maximum path length as given
by the platforms PATH_MAX constant.
+ Add 03-prevent-integer-overflow.patch. Prevent integer overflow in ZISO
code. Bail out if a ZF block size > 2^17 is to be read.
Checksums-Sha1:
34d693816e1b608dc819c4de6072bd09d55d4bbc 1921 fuseiso_20070708-2+deb6u1.dsc
e82aee54c2a3ecc0c84ed738345eb0287c99a3b0 4933 fuseiso_20070708-2+deb6u1.debian.tar.gz
ae3647de26ffadf48d79380913832afba28d8f38 21940 fuseiso_20070708-2+deb6u1_amd64.deb
Checksums-Sha256:
d5514cb26cc5e86e261a36511fc5fe1217d66a5da411814e49f81c4fdf7667e8 1921 fuseiso_20070708-2+deb6u1.dsc
bb2d99c296afd5bcbe7ae446b268398f41cd70062fa5703436ad15c25d3b7b6f 4933 fuseiso_20070708-2+deb6u1.debian.tar.gz
15e5f9e4dac6c5ee3cb1bee52f493127681208972a62ba96ce82fafa8d1b0449 21940 fuseiso_20070708-2+deb6u1_amd64.deb
Files:
c931f85e31ccc2dde445fd4335f035c9 1921 admin optional fuseiso_20070708-2+deb6u1.dsc
a7aaefe68e525f44d120088d36978de3 4933 admin optional fuseiso_20070708-2+deb6u1.debian.tar.gz
77c7178dc2bfc257b3cc5802c072e5da 21940 admin optional fuseiso_20070708-2+deb6u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWDP0zAAoJEJr0azAldxsxwA0QAIh/4Rgzq9pPoIPUodQmFAXR
9Pyh9ewLUMNoUxfAtxOPfc66otrrBL4arzrfL34PGA2VdUpJTAXEj1cAo2mpvmJE
5fMKMELCDnhBu2JaN6BOwysT/wjuhbuWt1C9FIajqI20/xOzFBkCa1eVDohEe30v
WuJHqzSFtlZIjGZzzTIS2uj2rvemPlR920ZupfznCZzQfskA0h589zq0JR/cx/n6
L2nzP8QvZLkmra1Tr3BMSM3I2YfUWKo/Iko0xhlEuuLUtrsmGxugakWqhHUsH5NG
E5/0QDIzYtBWcvpAZH5QpPj+PqVb5Moc2HgCbWXKC4fFDzrP3bK0ui2ew8eIeU7a
FfGlOtefAD88Sgpw7lOUyI3LR2bTsEUUlUIFcaK8abDWALOl2R5fjrBzBKX0+TJD
E10SPwEEWcipY22iBesW2kHR6W31FYalOFOpgA7dODyumrg6/MY2ch+JGtYn5Lo9
54e3R9FceMkw61t4QGr8zVL1xuHj3pz7RokjBYA3ga6tk4IZC65msopZECXRLW2F
vx6XEMj22QWnEF/swQMMaUbnOWZH0OL3z/kx2W34Bw/caLMHCKKKEZtAydJ7nK6Q
gazuPuTqWspv3KmfyX3mk40wAkbK0fbBvG80V2VO7n/viFJhLo7eMXxm4WDsvlVQ
8LF8R5ne3Y/AoyWtWMmi
=M4jg
-----END PGP SIGNATURE-----
Reply sent
to Mike Gabriel <sunweaver@debian.org>:
You have taken responsibility.
(Thu, 01 Oct 2015 09:36:19 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 01 Oct 2015 09:36:20 GMT) (full text, mbox, link).
Message #31 received at 779047-close@bugs.debian.org (full text, mbox, reply):
Source: fuseiso
Source-Version: 20070708-3.2
We believe that the bug you reported is fixed in the latest version of
fuseiso, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 779047@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated fuseiso package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 01 Oct 2015 11:27:12 +0200
Source: fuseiso
Binary: fuseiso
Architecture: source amd64
Version: 20070708-3.2
Distribution: unstable
Urgency: medium
Maintainer: David Paleino <dapal@debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description:
fuseiso - FUSE module to mount ISO filesystem images
Closes: 779047
Changes:
fuseiso (20070708-3.2) unstable; urgency=medium
.
* Non-maintainer upload.
* debian/patches (Closes: #779047):
+ Add 02-prevent-buffer-overflow.patch. Prevent stack-based buffer overflow
when concatenating strings to an absolute path name. Prevention is done
by checking that the result will stay under the maximum path length as given
by the platforms PATH_MAX constant.
+ Add 03-prevent-integer-overflow.patch. Prevent integer overflow in ZISO
code. Bail out if a ZF block size > 2^17 is to be read.
Checksums-Sha1:
448b27af7fbf0e84c93e64ccd54f6cee6f03954e 1906 fuseiso_20070708-3.2.dsc
51551f323c579637dbc7c5cb01bb20b5e794fd0f 5028 fuseiso_20070708-3.2.debian.tar.xz
1a8569f90fe272c7cd8400fc9239b1848a63a289 19708 fuseiso_20070708-3.2_amd64.deb
Checksums-Sha256:
6a42820b4bee09cc0b08272973c88e9d0490e42b75124d18da6a7081db5c9be6 1906 fuseiso_20070708-3.2.dsc
8f26cf5994d59a9c388b758c6793551fb6008165c8169971c1ff6a60c7b93e96 5028 fuseiso_20070708-3.2.debian.tar.xz
b74d0ea66e925b46b12e4ff28a1e4ad37d724d9c5703c880f267944d2042dad3 19708 fuseiso_20070708-3.2_amd64.deb
Files:
52c0fc47310847dd6c03c4ed33606956 1906 admin optional fuseiso_20070708-3.2.dsc
4d4837edbd0e177a55d4a1df6fe8c91c 5028 admin optional fuseiso_20070708-3.2.debian.tar.xz
10c91fdfba96cada86247a53a080695a 19708 admin optional fuseiso_20070708-3.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWDPyXAAoJEJr0azAldxsxKM4P/A5GJ/jNjNp6R3zXXWin/zWQ
yN+YEaTpM/oniliTDvkk0zZTjkYQUitkXYprFMb94SYK+IoxJUhuT8uIy9vQJ8hH
nrP0Wp4e3oeCLJYZCUOU+gea9AH9P7N6qG6Py9LRHokYmQXmkEkD1wyKDGBOpmnl
eA12Y/4OhDa1sWjNwylOZysOzJhJaNWYWVl2eXR1lTUPLzMyZICT7FzDyaNLwegY
U1FHETMM4GnhpUJaRg1YylwCxGcu3KNLWkX2lRSg73vyvoapbb1SvILOfiGW5bwp
lgh4hcusXO5y4QAo9GAic3m4MgqvH8J1aLQxX4kc93KMYVJ7ojkNQIqmAQtx0Y99
Tc1roDAtg9Kde6KjLjqWP+Eh/In44xS64NmNcC44X/AoRdXlzvWrjgCmMwZ9PbVI
DNShgbQXDAF7bK7T0yWsyufRxyF3PCGrL8kiboy/SnmMFdL9RfrlR80vX4hcmnBP
uqPJ3eKEKHzlRPUty3Uc+DdbWUaqK5xMY6bC2EgsNR7JpnEm+wTlei0gErxYLrAO
HkVlcI4Y6YU1qulp5SIag9wMI28YI/jC5Wqy6SSlBBMdPdcav/qi3Ma1RHYDyB6e
HdHI1VLo3RnrCmTO8DHHPSDtN7J/b2XM1MzSGwoWdX+EFABcM9LOa2dvV6M75EeO
sHCoQvnjPPavQiD44MZp
=Dm/w
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 04 Nov 2015 07:27:19 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 26 Mar 2016 14:30:03 GMT) (full text, mbox, link).
Added tag(s) squeeze, wheezy, jessie, sid, and stretch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 26 Mar 2016 14:30:03 GMT) (full text, mbox, link).
Reply sent
to Thorsten Alteholz <debian@alteholz.de>:
You have taken responsibility.
(Fri, 22 Apr 2016 21:57:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Fri, 22 Apr 2016 21:57:09 GMT) (full text, mbox, link).
Message #42 received at 779047-close@bugs.debian.org (full text, mbox, reply):
Source: fuseiso
Source-Version: 20070708-3+deb7u1
We believe that the bug you reported is fixed in the latest version of
fuseiso, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 779047@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated fuseiso package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 24 Mar 2016 18:03:02 +0100
Source: fuseiso
Binary: fuseiso
Architecture: source i386
Version: 20070708-3+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: David Paleino <dapal@debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description:
fuseiso - FUSE module to mount ISO filesystem images
Closes: 779047
Changes:
fuseiso (20070708-3+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Wheezy LTS Team.
* debian/patches (Closes: #779047):
(patches copied from the Squeeze version)
+ CVE-2015-8837
Add 02-prevent-buffer-overflow.patch. Prevent stack-based buffer overflow
when concatenating strings to an absolute path name. Prevention is done
by checking that the result will stay under the maximum path length as given
by the platforms PATH_MAX constant.
+ CVE-2015-8836
Add 03-prevent-integer-overflow.patch. Prevent integer overflow in ZISO
code. Bail out if a ZF block size > 2^17 is to be read.
Checksums-Sha1:
151f3bda79f1226f0fe019f3d51439c19224ef7f 2051 fuseiso_20070708-3+deb7u1.dsc
4b3069f535af53477172359eaaab90e5b827f8e9 339470 fuseiso_20070708.orig.tar.gz
e5edbc80df95be06d50e0a24ffba6090db38e586 5178 fuseiso_20070708-3+deb7u1.debian.tar.gz
32d0ae73be7a5c78a08083bef222b476ff8a2251 22724 fuseiso_20070708-3+deb7u1_i386.deb
Checksums-Sha256:
a3088ae7e50389002823b4fd72a811735ffd23d5bb3e8a14326946203194780d 2051 fuseiso_20070708-3+deb7u1.dsc
9bc183a99f0025d01f30ac3f3622b2602b0ad58dfb5d3acce9063d144bf77193 339470 fuseiso_20070708.orig.tar.gz
668730b73d858179950e408d4cdb7c67aebc3981ef7035e5675639a5679a4636 5178 fuseiso_20070708-3+deb7u1.debian.tar.gz
bdc581832d950a74f05e3ba80c3fcd35b1db4d52740dfd33e93f8067878f5b29 22724 fuseiso_20070708-3+deb7u1_i386.deb
Files:
b1ff3fefdf6a07ada1648a7f9be0d7a2 2051 admin optional fuseiso_20070708-3+deb7u1.dsc
30a0e7a3cf577664001e471ba12b6fb4 339470 admin optional fuseiso_20070708.orig.tar.gz
e86de53189d8ec0c484e3282a2a7e2b6 5178 admin optional fuseiso_20070708-3+deb7u1.debian.tar.gz
0dc6671b43d9d6c02d669d76fe709279 22724 admin optional fuseiso_20070708-3+deb7u1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJXAqnmXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHgn0P/ifEl8cC36kuUQ0TVIKV8amn
NKxG4AKeMvG+fCHyvePxJd2uDOx837wpBFeuTYt5PAQBYAjBeLskpZrMu/mbkala
zGAW4qTuGQ9HTmtcekkAVYuCVFwmaUBgV3UCTS4Dacd7CJlt/8DiNn0zyn8Jf2de
3oB+7vPQsRrDqKVoxzeE0M+e9pF3oAMTDDo0/9Zj5Evl+CKvTe4fC1y8bxPj2ZtB
+t+V3rPXZpfnHE/wlwNbl5iMO7MkSp//PlEZWF1wgs65obKUaixZEfwmSYVA9Xby
OdJA+w9mHIgW4qoLujWmzbhpyNHZpYYdtsL6AMh4xshJMEzNNDjTJyqPnhgdH3Iy
P1gSZtZ0tGtRe05V2tq6VsHKDIHZI0o7tjigUhqaugKt/BIW38CGEBjwXSq93uoG
ziczrZtoTl730W3HxKFp+lTOarAk7ok6uHXdZ/IdTQwl7BJobiN5VQmPYFx/xaI6
o8EQXANTUgfBOPdGH74k4xAtLET7J2O37sTw6C5/Zq5wTvzM+jpfmS439k8hA+zH
fNKPDF97dp3AZQCYcisaU2tUDy0hbgHpCRTFNVwAdBxuBjxyaoOraHpuwZfCZpAY
D18gGQkxlwbwqgapycIFBhL7RaCbfbXnDSApGTyVPh67A186gT6vU2RrrPGmFy6z
zVcvLEYXhuX40Zf3MfB8
=FNzq
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 05 Jun 2016 07:36:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:55:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon