tags 398254 + security
tags 398254 + patch
thanks
>The postinst of fuse-utils creates the group fuse and sets the
>permissions of fusermount to root:fuse 4754. Before that happens,
>fusermount has the permissions specified in the deb, namely root:root
>4755. Thus, during the installation of fuse, any user can mount a
>FUSE filesystem without needing membership in group fuse.
I belive it is a security bug, non allowed user could use fuse.
Do not raise priority because it will only allow a user to do something mad on
his own account, and race windows is tiny.
Patch is simple please apply (NMU candidate?)
Regards
Bastien
--
"ROUCARIÈS Bastien"
roucaries.bastien+deb...@gmail.com
-------------------------------------------------------------------------------
DO NOT WRITE TO roucaries.bastien+blackh...@gmail.com OR BE BLACKLISTED
--- rules.old 2009-01-02 20:41:10.000000000 +0100
+++ rules 2009-01-02 21:26:45.000000000 +0100
@@ -86,7 +86,7 @@
dh_shlibdeps -s
dh_gencontrol -s
dh_md5sums -s
- chmod 4755 debian/fuse-utils/usr/bin/fusermount
+ chmod 4700 debian/fuse-utils/usr/bin/fusermount
dh_builddeb -s
binary-indep:
