I've been trying to get to the bottom of this bug over the past day, not helped by libfuse redirecting fusermount's stderr to /dev/null.
There are actually two bugs here with roughly the same effect. When mounting, fusermount must: 1. Make the mount() system call; 2. Run the mount command to record the mountpoint in /etc/mtab; 3. If (2) fails then unmount using the umount2() system call. We must prevent the mount command from canonicalising symlinks when adding to /etc/mtab. This is supposed to be done already, but there is an automatic fallback for compatibility with old versions of the mount command which can be exploited by forcing the first invocation to fail. Currently (3) uses the absolute path, which may have been redirected since (1). I'll apply the attached patch for squeeze. Unfortunately we cannot fix the first bug on lenny as its version of mount does not support --no-canonicalize. There is no point in fixing only one of the bugs. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
004-CVE-2010-3879.dpatch
Description: application/shellscript
signature.asc
Description: This is a digitally signed message part
