Your message dated Wed, 01 Feb 2006 17:02:15 -0800 with message-id <[EMAIL PROTECTED]> and subject line Bug#340398: fixed in fuse 2.5.1-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 23 Nov 2005 09:17:20 +0000 >From [EMAIL PROTECTED] Wed Nov 23 01:17:20 2005 Return-path: <[EMAIL PROTECTED]> Received: from inutil.org ([193.22.164.111] helo=vserver151.vserver151.serverflex.de) by spohr.debian.org with esmtp (Exim 4.50) id 1Eeqki-0000AK-Lu for [EMAIL PROTECTED]; Wed, 23 Nov 2005 01:17:20 -0800 Received: from wlan-client-272.informatik.uni-bremen.de ([134.102.117.22] helo=localhost.localdomain) by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1Eeqkh-0006WR-Kj for [EMAIL PROTECTED]; Wed, 23 Nov 2005 10:17:19 +0100 Received: from jmm by localhost.localdomain with local (Exim 4.54) id 1EeqkX-0001eH-Sv; Wed, 23 Nov 2005 10:17:09 +0100 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Moritz Muehlenhoff <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: CVE-2005-3531: fusermount may corrupt /etc/mtab X-Mailer: reportbug 3.17 Date: Wed, 23 Nov 2005 10:17:09 +0100 X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]> Message-Id: <[EMAIL PROTECTED]> X-SA-Exim-Connect-IP: 134.102.117.22 X-SA-Exim-Mail-From: [EMAIL PROTECTED] X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE, X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 Package: fuse-utils Version: 2.4.0-1 Severity: grave Tags: security Justification: user security hole Thomas Biege from the SuSE security team discovered that special chars such as "\n", "\t" and "\\" are misinterpreted by fusermount, which could potentially allow a user from the "fuse" group (or whatever group has been chosen) to manipulate mount options. A patch from Miklos Szeredi can be found at http://bugs.gentoo.org/attachment.cgi?id=73173 This has been assigned CVE-2005-3531, please mention it in the changelog when fixing it. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-2-686 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages fuse-utils depends on: ii adduser 3.79 Add and remove users and groups ii debconf [debconf-2.0] 1.4.59 Debian configuration management sy ii libc6 2.3.5-8 GNU C Library: Shared libraries an ii sed 4.1.4-4 The GNU sed stream editor ii ucf 2.003 Update Configuration File: preserv Versions of packages fuse-utils recommends: pn fuse-source <none> (no description available) -- debconf information excluded --------------------------------------- Received: (at 340398-close) by bugs.debian.org; 2 Feb 2006 01:10:31 +0000 >From [EMAIL PROTECTED] Wed Feb 01 17:10:31 2006 Return-path: <[EMAIL PROTECTED]> Received: from katie by spohr.debian.org with local (Exim 4.50) id 1F4SrX-0005yd-Nk; Wed, 01 Feb 2006 17:02:15 -0800 From: Bartosz Fenski <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.65 $ Subject: Bug#340398: fixed in fuse 2.5.1-1 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Wed, 01 Feb 2006 17:02:15 -0800 X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 Source: fuse Source-Version: 2.5.1-1 We believe that the bug you reported is fixed in the latest version of fuse, which is due to be installed in the Debian FTP archive: fuse-source_2.5.1-1_all.deb to pool/main/f/fuse/fuse-source_2.5.1-1_all.deb fuse-utils_2.5.1-1_i386.deb to pool/main/f/fuse/fuse-utils_2.5.1-1_i386.deb fuse_2.5.1-1.diff.gz to pool/main/f/fuse/fuse_2.5.1-1.diff.gz fuse_2.5.1-1.dsc to pool/main/f/fuse/fuse_2.5.1-1.dsc fuse_2.5.1.orig.tar.gz to pool/main/f/fuse/fuse_2.5.1.orig.tar.gz libfuse-dev_2.5.1-1_i386.deb to pool/main/f/fuse/libfuse-dev_2.5.1-1_i386.deb libfuse2_2.5.1-1_i386.deb to pool/main/f/fuse/libfuse2_2.5.1-1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bartosz Fenski <[EMAIL PROTECTED]> (supplier of updated fuse package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Thu, 2 Feb 2006 01:08:40 +0100 Source: fuse Binary: libfuse2 libfuse-dev fuse-utils fuse-source Architecture: source i386 all Version: 2.5.1-1 Distribution: unstable Urgency: low Maintainer: Bartosz Fenski <[EMAIL PROTECTED]> Changed-By: Bartosz Fenski <[EMAIL PROTECTED]> Description: fuse-source - Filesystem in USErspace (source for kernel module) fuse-utils - Filesystem in USErspace (utilities) libfuse-dev - Filesystem in USErspace (development files) libfuse2 - Filesystem in USErspace library Closes: 297505 298829 306281 307624 307627 310964 326742 334381 334639 337568 337572 339688 340398 340796 342826 343702 350659 Changes: fuse (2.5.1-1) unstable; urgency=low . * New upstream version. (Closes: #350659) * The 'Goodbye debconf' release. - reorganization of all packaging scripts to get rid of debconf stuff. - doesn't handle creation of group anymore, so (Closes: #307627, #342826, #310964, #306281, #307624) * ACK previous NMU. (Closes: #339688, #340398, #298829) * Handles creation/remove of fuse device. (Closes: #334639, #297505) * Since now fuse-source depends on either module-assistant or kernel-package. (Closes: #326742) * Includes mount.fuse script. (Closes: #343702, #334381) * Doesn't use debconf templates anymore. (Closes: #337568, #337572, #340796) Files: aa1a6c7ccc0ea86df31cd9cffad7a5ef 625 libs optional fuse_2.5.1-1.dsc c752f881c8b6586ce086fc8df3fb16e8 407660 libs optional fuse_2.5.1.orig.tar.gz de1fc9a564ff58fbe56555bb7ff06f1c 7730 libs optional fuse_2.5.1-1.diff.gz 3809b9ef3570c0f3ef30824912d4eb6f 54884 utils optional fuse-utils_2.5.1-1_i386.deb b1cb86c3f4f757fdb13c0d7e8e445ca8 92192 libdevel optional libfuse-dev_2.5.1-1_i386.deb ce3e7dfea4a8a139e15cd9d013d5b126 48918 libs optional libfuse2_2.5.1-1_i386.deb 7775d2543fae18baf246a00936f054e2 101684 utils optional fuse-source_2.5.1-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFD4VgJhQui3hP+/EARAmQHAJwIiP8ym2Xi0K7NjHwnbGd9rjMZYgCgyY1P UGGsyiCVPPzNX96vKlaUxxQ= =5TCq -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]