Debian Bug report logs - #311634
libfuse2: leaking previous memory contents to unprivileged users

version graph

Package: libfuse2; Maintainer for libfuse2 is Daniel Baumann <mail@daniel-baumann.ch>; Source for libfuse2 is src:fuse.

Reported by: Bartosz Fenski aka fEnIo <fenio@debian.org>

Date: Thu, 2 Jun 2005 11:18:02 UTC

Severity: critical

Tags: patch, security

Fixed in version fuse/2.3.0-1

Done: Bartosz Fenski <fenio@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#311634; Package libfuse2. Full text and rfc822 format available.

Acknowledgement sent to Bartosz Fenski aka fEnIo <fenio@debian.org>:
New Bug report received and forwarded. Copy sent to Bartosz Fenski <fenio@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bartosz Fenski aka fEnIo <fenio@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libfuse2: leaking previous memory contents to unprivileged users
Date: Thu, 02 Jun 2005 13:08:17 +0200
Package: libfuse2
Severity: critical
Justification: root security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's quote from upstream's mail:

Here's a new major version of FUSE:

  http://prdownloads.sourceforge.net/fuse/fuse-2.3.0.tar.gz

It contains an important security fix that prevents leaking previous
memory contents to unprivileged users (thanks to Sven Tantau for the
report).  So if you are running a previous version of FUSE on a system
with untrusted users, upgrading is recommended.

regards
fEnIo

- -- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-2-686
Locale: LANG=pl_PL, LC_CTYPE=pl_PL (charmap=ISO-8859-2)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCnuihhQui3hP+/EARAiT8AKCYlLB4+7yPGNRSPcpzP0TGhSt8hgCgn/+o
LNZEk0d9cGkwcaQzABcybkE=
=gD0q
-----END PGP SIGNATURE-----



Tags added: security Request was from Bas Zoetekouw <bas@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#311634; Package libfuse2. Full text and rfc822 format available.

Acknowledgement sent to Bas Zoetekouw <bas@debian.org>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. Full text and rfc822 format available.

Message #12 received at 311634@bugs.debian.org (full text, mbox):

From: Bas Zoetekouw <bas@debian.org>
To: 311634@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: 311634 is a security bug
Date: Thu, 2 Jun 2005 14:05:55 +0200
tag 311634 + patch
thanks

Here's a patch that should fix the bug.  I've extracted it from the
upstream 2.3.0 release.


diff -Naur fuse-2.2.1.oldone/kernel/dev.c fuse-2.2.1/kernel/dev.c
--- fuse-2.2.1.oldone/kernel/dev.c	2005-03-08 15:39:26.000000000 +0100
+++ fuse-2.2.1/kernel/dev.c	2005-06-02 14:02:54.724582278 +0200
@@ -534,7 +534,7 @@
 	unsigned offset = req->page_offset;
 	unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset);
 
-	for (i = 0; i < req->num_pages && nbytes; i++) {
+	for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) {
 		struct page *page = req->pages[i];
 		int err = fuse_copy_page(cs, page, offset, count, zeroing);
 		if (err)

-- 
Kind regards,
+--------------------------------------------------------------------+
| Bas Zoetekouw              | GPG key: 0644fab7                     |
|----------------------------| Fingerprint: c1f5 f24c d514 3fec 8bf6 |
| bas@o2w.nl, bas@debian.org |              a2b1 2bae e41f 0644 fab7 |
+--------------------------------------------------------------------+ 



Tags added: patch Request was from Bas Zoetekouw <bas@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Bartosz Fenski <fenio@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Bartosz Fenski aka fEnIo <fenio@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 311634-close@bugs.debian.org (full text, mbox):

From: Bartosz Fenski <fenio@debian.org>
To: 311634-close@bugs.debian.org
Subject: Bug#311634: fixed in fuse 2.3.0-1
Date: Mon, 06 Jun 2005 07:32:36 -0400
Source: fuse
Source-Version: 2.3.0-1

We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive:

fuse-source_2.3.0-1_all.deb
  to pool/main/f/fuse/fuse-source_2.3.0-1_all.deb
fuse-utils_2.3.0-1_i386.deb
  to pool/main/f/fuse/fuse-utils_2.3.0-1_i386.deb
fuse_2.3.0-1.diff.gz
  to pool/main/f/fuse/fuse_2.3.0-1.diff.gz
fuse_2.3.0-1.dsc
  to pool/main/f/fuse/fuse_2.3.0-1.dsc
fuse_2.3.0.orig.tar.gz
  to pool/main/f/fuse/fuse_2.3.0.orig.tar.gz
libfuse-dev_2.3.0-1_i386.deb
  to pool/main/f/fuse/libfuse-dev_2.3.0-1_i386.deb
libfuse2_2.3.0-1_i386.deb
  to pool/main/f/fuse/libfuse2_2.3.0-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 311634@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bartosz Fenski <fenio@debian.org> (supplier of updated fuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  6 Jun 2005 13:01:12 +0200
Source: fuse
Binary: libfuse2 libfuse-dev fuse-utils fuse-source
Architecture: source i386 all
Version: 2.3.0-1
Distribution: unstable
Urgency: high
Maintainer: Bartosz Fenski <fenio@debian.org>
Changed-By: Bartosz Fenski <fenio@debian.org>
Description: 
 fuse-source - Filesystem in USErspace (source for kernel module)
 fuse-utils - Filesystem in USErspace (utilities)
 libfuse-dev - Filesystem in USErspace (development files)
 libfuse2   - Filesystem in USErspace library
Closes: 311634 311750
Changes: 
 fuse (2.3.0-1) unstable; urgency=high
 .
   * New upstream version.
     - fixes security bug (Closes: #311634)
   * Added Vietnamese debconf translation by Clytie Siddall (Closes: #311750)
Files: 
 be3eefaf76205fa94dd53d9668ec8a46 626 libs optional fuse_2.3.0-1.dsc
 0bee98df5b2a29841f75fc188975eabc 365847 libs optional fuse_2.3.0.orig.tar.gz
 14944c2ef7ba25deaee8ce54bb66008a 11091 libs optional fuse_2.3.0-1.diff.gz
 f980ca85bd4ed619cfc8e001b398d07b 42874 utils optional fuse-utils_2.3.0-1_i386.deb
 8c4cf4e9ca30ef1c69cbfb82cd38202a 58250 libdevel optional libfuse-dev_2.3.0-1_i386.deb
 3194c8c62182570387e2e2a0b0cfa302 35776 libs optional libfuse2_2.3.0-1_i386.deb
 a5e48ab3fa0be000693f40fc9a089e98 83692 utils optional fuse-source_2.3.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCpC50hQui3hP+/EARAgfIAKDPJFq4qB7rmQDenadshZo2TWrzhACfQN+n
kgz8Iew305o6L9pWWcX8zAY=
=EfUb
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:32:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.