Bug#567633: marked as done (race condition in fusermount)

[Debian Bug Tracking System]

Your message dated Wed, 03 Feb 2010 13:52:40 +0000
with message-id <e1ncfeq-0001ud...@ries.debian.org>
and subject line Bug#567633: fixed in fuse 2.7.4-1.1+lenny1
has caused the Debian Bug report #567633,
regarding race condition in fusermount
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
567633: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567633
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: fuse-utils
Severity: grave
Tags: security

fuse 2.8.2 fixes a race condition if two fusermount -u instances
are run in paralell, which allows local privilege escalation.

This issue was discovered by Dan Rosenberg.

Cheers,
        Moritz


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages fuse-utils depends on:
ii  adduser                       3.112      add and remove users and groups
ii  libc6                         2.10.2-5   Embedded GNU C Library: Shared lib
pn  libfuse2                      <none>     (no description available)
ii  makedev                       2.3.1-89   creates device files in /dev
ii  sed                           4.2.1-6    The GNU sed stream editor
ii  udev                          150-2      /dev/ and hotplug management daemo

fuse-utils recommends no packages.

fuse-utils suggests no packages.

--- End Message ---

--- Begin Message ---

Source: fuse
Source-Version: 2.7.4-1.1+lenny1

We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive:

fuse-utils_2.7.4-1.1+lenny1_i386.deb
  to main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_i386.deb
fuse_2.7.4-1.1+lenny1.diff.gz
  to main/f/fuse/fuse_2.7.4-1.1+lenny1.diff.gz
fuse_2.7.4-1.1+lenny1.dsc
  to main/f/fuse/fuse_2.7.4-1.1+lenny1.dsc
libfuse-dev_2.7.4-1.1+lenny1_i386.deb
  to main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_i386.deb
libfuse2_2.7.4-1.1+lenny1_i386.deb
  to main/f/fuse/libfuse2_2.7.4-1.1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 567...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated fuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 31 Jan 2010 23:12:19 +0100
Source: fuse
Binary: fuse-utils libfuse-dev libfuse2
Architecture: source i386
Version: 2.7.4-1.1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Bartosz Fenski <fe...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description: 
 fuse-utils - Filesystem in USErspace (utilities)
 libfuse-dev - Filesystem in USErspace (development files)
 libfuse2   - Filesystem in USErspace library
Closes: 567633
Changes: 
 fuse (2.7.4-1.1+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-3297: race condition in fusermount (Closes: #567633)
Checksums-Sha1: 
 a894c7aa5d1e2add5729fb51b99f476fab34a63d 1171 fuse_2.7.4-1.1+lenny1.dsc
 7a86f5cf39f38e64ccbae093599d64a895b950ba 506658 fuse_2.7.4.orig.tar.gz
 75d3afb85eec0665b50dd2794d166598d06850c4 16066 fuse_2.7.4-1.1+lenny1.diff.gz
 ec95e23e06cc7d996d7ae5994064fcf505601a5d 17894 
fuse-utils_2.7.4-1.1+lenny1_i386.deb
 999968079e2527c4b4fde7e4f9866ab883e69576 155244 
libfuse-dev_2.7.4-1.1+lenny1_i386.deb
 5c9a4729ddbb2540d255210648f6205e1f78d7c0 124622 
libfuse2_2.7.4-1.1+lenny1_i386.deb
Checksums-Sha256: 
 e9a52d51a75aba25788075ba6f4267cd9590e984d50d28d47d620f6b68b58e66 1171 
fuse_2.7.4-1.1+lenny1.dsc
 c8b070ece5d4e09bd06eea6c28818c718f803d93a4b85bacb9982deb8ded49e6 506658 
fuse_2.7.4.orig.tar.gz
 9b3bf867995f76438a157d33d2f12ce25daa1365b0d08d2f360223eb7d54c428 16066 
fuse_2.7.4-1.1+lenny1.diff.gz
 355ac7c0c258f1035cfe19d01b62a0f916af8341d8b6b8e5288f997e096d1f0f 17894 
fuse-utils_2.7.4-1.1+lenny1_i386.deb
 202cdafb6b40048bcaa85c8bf789696758497300aabffeaeaf6625fe37b000c1 155244 
libfuse-dev_2.7.4-1.1+lenny1_i386.deb
 e85fda37a49c7a05d9363d04d18a87d9bbc6d6f67372a8d9d05fe04ad75f0c31 124622 
libfuse2_2.7.4-1.1+lenny1_i386.deb
Files: 
 889cfc800cd72828730f8bcbd9c777d9 1171 libs optional fuse_2.7.4-1.1+lenny1.dsc
 4879f06570d2225667534c37fea04213 506658 libs optional fuse_2.7.4.orig.tar.gz
 f3a61d6fc003f1a2bf3ea9430f2c9a70 16066 libs optional 
fuse_2.7.4-1.1+lenny1.diff.gz
 fc0807ee515177aec7ebf4e90cd28262 17894 utils optional 
fuse-utils_2.7.4-1.1+lenny1_i386.deb
 1d33eb00f1912b128fa225e4032e6272 155244 libdevel optional 
libfuse-dev_2.7.4-1.1+lenny1_i386.deb
 443691cc6cff7d375d3e58fc6ef7b6d0 124622 libs optional 
libfuse2_2.7.4-1.1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktmk/cACgkQNxpp46476apTBwCdENfa7beHYimQ/CpUbMxBJw6E
nhsAn1k6qUnexXcpsR1mp3d3KvXj87Pi
=hLYk
-----END PGP SIGNATURE-----

--- End Message ---