Your message dated Wed, 01 Feb 2006 17:02:15 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#340398: fixed in fuse 2.5.1-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Nov 2005 09:17:20 +0000
>From [EMAIL PROTECTED] Wed Nov 23 01:17:20 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org ([193.22.164.111] 
helo=vserver151.vserver151.serverflex.de)
        by spohr.debian.org with esmtp (Exim 4.50)
        id 1Eeqki-0000AK-Lu
        for [EMAIL PROTECTED]; Wed, 23 Nov 2005 01:17:20 -0800
Received: from wlan-client-272.informatik.uni-bremen.de ([134.102.117.22] 
helo=localhost.localdomain)
        by vserver151.vserver151.serverflex.de with esmtpsa 
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
        (Exim 4.50)
        id 1Eeqkh-0006WR-Kj
        for [EMAIL PROTECTED]; Wed, 23 Nov 2005 10:17:19 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.54)
        id 1EeqkX-0001eH-Sv; Wed, 23 Nov 2005 10:17:09 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: CVE-2005-3531: fusermount may corrupt /etc/mtab
X-Mailer: reportbug 3.17
Date: Wed, 23 Nov 2005 10:17:09 +0100
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 134.102.117.22
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond 
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: fuse-utils
Version: 2.4.0-1
Severity: grave
Tags: security
Justification: user security hole

Thomas Biege from the SuSE security team discovered that special chars
such as "\n", "\t" and "\\" are misinterpreted by fusermount, which
could potentially allow a user from the "fuse" group (or whatever group
has been chosen) to manipulate mount options.

A patch from Miklos Szeredi can be found at 
http://bugs.gentoo.org/attachment.cgi?id=73173

This has been assigned CVE-2005-3531, please mention it in the changelog
when fixing it.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages fuse-utils depends on:
ii  adduser                       3.79       Add and remove users and groups
ii  debconf [debconf-2.0]         1.4.59     Debian configuration management sy
ii  libc6                         2.3.5-8    GNU C Library: Shared libraries an
ii  sed                           4.1.4-4    The GNU sed stream editor
ii  ucf                           2.003      Update Configuration File: preserv

Versions of packages fuse-utils recommends:
pn  fuse-source                   <none>     (no description available)

-- debconf information excluded

---------------------------------------
Received: (at 340398-close) by bugs.debian.org; 2 Feb 2006 01:10:31 +0000
>From [EMAIL PROTECTED] Wed Feb 01 17:10:31 2006
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
        id 1F4SrX-0005yd-Nk; Wed, 01 Feb 2006 17:02:15 -0800
From: Bartosz Fenski <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.65 $
Subject: Bug#340398: fixed in fuse 2.5.1-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 01 Feb 2006 17:02:15 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: fuse
Source-Version: 2.5.1-1

We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive:

fuse-source_2.5.1-1_all.deb
  to pool/main/f/fuse/fuse-source_2.5.1-1_all.deb
fuse-utils_2.5.1-1_i386.deb
  to pool/main/f/fuse/fuse-utils_2.5.1-1_i386.deb
fuse_2.5.1-1.diff.gz
  to pool/main/f/fuse/fuse_2.5.1-1.diff.gz
fuse_2.5.1-1.dsc
  to pool/main/f/fuse/fuse_2.5.1-1.dsc
fuse_2.5.1.orig.tar.gz
  to pool/main/f/fuse/fuse_2.5.1.orig.tar.gz
libfuse-dev_2.5.1-1_i386.deb
  to pool/main/f/fuse/libfuse-dev_2.5.1-1_i386.deb
libfuse2_2.5.1-1_i386.deb
  to pool/main/f/fuse/libfuse2_2.5.1-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bartosz Fenski <[EMAIL PROTECTED]> (supplier of updated fuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  2 Feb 2006 01:08:40 +0100
Source: fuse
Binary: libfuse2 libfuse-dev fuse-utils fuse-source
Architecture: source i386 all
Version: 2.5.1-1
Distribution: unstable
Urgency: low
Maintainer: Bartosz Fenski <[EMAIL PROTECTED]>
Changed-By: Bartosz Fenski <[EMAIL PROTECTED]>
Description: 
 fuse-source - Filesystem in USErspace (source for kernel module)
 fuse-utils - Filesystem in USErspace (utilities)
 libfuse-dev - Filesystem in USErspace (development files)
 libfuse2   - Filesystem in USErspace library
Closes: 297505 298829 306281 307624 307627 310964 326742 334381 334639 337568 
337572 339688 340398 340796 342826 343702 350659
Changes: 
 fuse (2.5.1-1) unstable; urgency=low
 .
   * New upstream version. (Closes: #350659)
   * The 'Goodbye debconf' release.
     - reorganization of all packaging scripts to get rid of debconf stuff.
     - doesn't handle creation of group anymore, so
       (Closes: #307627, #342826, #310964, #306281, #307624)
   * ACK previous NMU. (Closes: #339688, #340398, #298829)
   * Handles creation/remove of fuse device. (Closes: #334639, #297505)
   * Since now fuse-source depends on either module-assistant
     or kernel-package. (Closes: #326742)
   * Includes mount.fuse script. (Closes: #343702, #334381)
   * Doesn't use debconf templates anymore. (Closes: #337568, #337572, #340796)
Files: 
 aa1a6c7ccc0ea86df31cd9cffad7a5ef 625 libs optional fuse_2.5.1-1.dsc
 c752f881c8b6586ce086fc8df3fb16e8 407660 libs optional fuse_2.5.1.orig.tar.gz
 de1fc9a564ff58fbe56555bb7ff06f1c 7730 libs optional fuse_2.5.1-1.diff.gz
 3809b9ef3570c0f3ef30824912d4eb6f 54884 utils optional 
fuse-utils_2.5.1-1_i386.deb
 b1cb86c3f4f757fdb13c0d7e8e445ca8 92192 libdevel optional 
libfuse-dev_2.5.1-1_i386.deb
 ce3e7dfea4a8a139e15cd9d013d5b126 48918 libs optional libfuse2_2.5.1-1_i386.deb
 7775d2543fae18baf246a00936f054e2 101684 utils optional 
fuse-source_2.5.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD4VgJhQui3hP+/EARAmQHAJwIiP8ym2Xi0K7NjHwnbGd9rjMZYgCgyY1P
UGGsyiCVPPzNX96vKlaUxxQ=
=5TCq
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to