Bug#567633: marked as done (race condition in fusermount)

[Debian Bug Tracking System]

Your message dated Sun, 31 Jan 2010 22:07:49 +0000
with message-id <e1nbhxn-0007sn...@ries.debian.org>
and subject line Bug#567633: fixed in fuse 2.8.1-1.2
has caused the Debian Bug report #567633,
regarding race condition in fusermount
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
567633: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567633
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: fuse-utils
Severity: grave
Tags: security

fuse 2.8.2 fixes a race condition if two fusermount -u instances
are run in paralell, which allows local privilege escalation.

This issue was discovered by Dan Rosenberg.

Cheers,
        Moritz


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages fuse-utils depends on:
ii  adduser                       3.112      add and remove users and groups
ii  libc6                         2.10.2-5   Embedded GNU C Library: Shared lib
pn  libfuse2                      <none>     (no description available)
ii  makedev                       2.3.1-89   creates device files in /dev
ii  sed                           4.2.1-6    The GNU sed stream editor
ii  udev                          150-2      /dev/ and hotplug management daemo

fuse-utils recommends no packages.

fuse-utils suggests no packages.

--- End Message ---

--- Begin Message ---

Source: fuse
Source-Version: 2.8.1-1.2

We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive:

fuse-utils_2.8.1-1.2_i386.deb
  to main/f/fuse/fuse-utils_2.8.1-1.2_i386.deb
fuse_2.8.1-1.2.diff.gz
  to main/f/fuse/fuse_2.8.1-1.2.diff.gz
fuse_2.8.1-1.2.dsc
  to main/f/fuse/fuse_2.8.1-1.2.dsc
libfuse-dev_2.8.1-1.2_i386.deb
  to main/f/fuse/libfuse-dev_2.8.1-1.2_i386.deb
libfuse2_2.8.1-1.2_i386.deb
  to main/f/fuse/libfuse2_2.8.1-1.2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 567...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated fuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 31 Jan 2010 22:23:35 +0100
Source: fuse
Binary: fuse-utils libfuse-dev libfuse2
Architecture: source i386
Version: 2.8.1-1.2
Distribution: unstable
Urgency: high
Maintainer: Bartosz Fenski <fe...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description: 
 fuse-utils - Filesystem in USErspace (utilities)
 libfuse-dev - Filesystem in USErspace (development files)
 libfuse2   - Filesystem in USErspace library
Closes: 567633
Changes: 
 fuse (2.8.1-1.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-3297: race condition in fusermount (Closes: #567633)
Checksums-Sha1: 
 7bcc7b9947d4a4e48857d5f8073e09f2ead8036a 1209 fuse_2.8.1-1.2.dsc
 3b199935eb983b3b720b62393530517e0394c024 18137 fuse_2.8.1-1.2.diff.gz
 ea79bf504b11e2fee931173bc4b76aab2a5e676b 18130 fuse-utils_2.8.1-1.2_i386.deb
 64bd17d8df6291a15355789460e3e1a76459f714 178144 libfuse-dev_2.8.1-1.2_i386.deb
 47386b3f29828dc38933c923a8fa4b06f6827421 135750 libfuse2_2.8.1-1.2_i386.deb
Checksums-Sha256: 
 64662c8f6d6b470c0124b123cc905e6676db05c26fbd78e6816c2f07aead2670 1209 
fuse_2.8.1-1.2.dsc
 e34d039d03562defc1653bda1a71acc1bbaf567b64a233dfdcbcbc6331566e1a 18137 
fuse_2.8.1-1.2.diff.gz
 a3bc5ea3947d8aead9b8ef1cf589996e87d20983934a946d0cc84c05236dba8a 18130 
fuse-utils_2.8.1-1.2_i386.deb
 fef5bf0aa8d0a2ea18917f0488c876a4e5d6ba6b2a1ff8ae19b99addbbf0a5c0 178144 
libfuse-dev_2.8.1-1.2_i386.deb
 d9e75f9571ae5b37fd1636d3c2b0a8a509fb767dd2c9bbd19675461e4aec0b08 135750 
libfuse2_2.8.1-1.2_i386.deb
Files: 
 6c3a00441def3436ea3c4dda28b4c670 1209 libs optional fuse_2.8.1-1.2.dsc
 0bd1165646ead347967a20bb30cd5412 18137 libs optional fuse_2.8.1-1.2.diff.gz
 ad9bc0152474b39589f2e1f1e26de677 18130 utils optional 
fuse-utils_2.8.1-1.2_i386.deb
 bf64fd3fa1bb7ebb5ea94809fc22ac28 178144 libdevel optional 
libfuse-dev_2.8.1-1.2_i386.deb
 e1259b984b72e5fd1fcc4d9a9f9e5111 135750 libs optional 
libfuse2_2.8.1-1.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktl+C8ACgkQNxpp46476ao0lACgnfwTE46uQkkTA687pKBABFXY
4iwAn2xlz50nSXO6OMcYU6MBWM9Pcz0W
=izfX
-----END PGP SIGNATURE-----

--- End Message ---