Debian Bug report logs - #490921
CVE-2008-2232: privilege escalation

version graph

Package: afuse; Maintainer for afuse is Varun Hiremath <varun@debian.org>; Source for afuse is src:afuse.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Tue, 15 Jul 2008 11:07:01 UTC

Severity: grave

Tags: security

Found in version afuse/0.2-2

Fixed in version afuse/0.2-3

Done: Varun Hiremath <varun@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Varun Hiremath <varun@debian.org>:
Bug#490921; Package afuse. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Varun Hiremath <varun@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-2232: privilege escalation
Date: Tue, 15 Jul 2008 21:05:19 +1000
[Message part 1 (text/plain, inline)]
Package: afuse
Version: 0.2-2
Severity: grave
Tags: security
Justification: user security hole

Hi

A privilege escalation has been reported against afuse.
This issue is CVE-2008-2232.

Here is some additional information:

afuse accepts a command line of the form
  afuse /path -o mount_template="mount-script %m %r" \
      unmount_template="unmount-script %m %r"
It replaces %m with the mountpoint and %r with the next component of the
pathname being accessed.  These interpolated strings are inserted inside
double quotes, but metacharacters within them are not escaped.  The
resulting string is then passed to system() and executed by the shell.

Therefore, an attacker with read access to the afuse filesystem can gain
the privileges of its owner, using paths such as
  /path/";arbitrary command;"
  /path/`arbitrary command`

The patch attached is from the original is from the original reporter
Anders Kaseorg, please honour him in the changelog.

When you fix this issue, please mention the CVE id in your changelog.

Cheers
Steffen
[afuse-template-tokenize.patch (text/x-c++, attachment)]

Reply sent to Varun Hiremath <varun@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 490921-close@bugs.debian.org (full text, mbox):

From: Varun Hiremath <varun@debian.org>
To: 490921-close@bugs.debian.org
Subject: Bug#490921: fixed in afuse 0.2-3
Date: Tue, 15 Jul 2008 18:47:02 +0000
Source: afuse
Source-Version: 0.2-3

We believe that the bug you reported is fixed in the latest version of
afuse, which is due to be installed in the Debian FTP archive:

afuse_0.2-3.diff.gz
  to pool/main/a/afuse/afuse_0.2-3.diff.gz
afuse_0.2-3.dsc
  to pool/main/a/afuse/afuse_0.2-3.dsc
afuse_0.2-3_i386.deb
  to pool/main/a/afuse/afuse_0.2-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 490921@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Varun Hiremath <varun@debian.org> (supplier of updated afuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 16 Jul 2008 00:06:59 +0530
Source: afuse
Binary: afuse
Architecture: source i386
Version: 0.2-3
Distribution: unstable
Urgency: high
Maintainer: Varun Hiremath <varun@debian.org>
Changed-By: Varun Hiremath <varun@debian.org>
Description: 
 afuse      - automounting file system implemented in user-space using FUSE
Closes: 490921
Changes: 
 afuse (0.2-3) unstable; urgency=high
 .
   * Security fix for CVE-2008-2232: Add afuse-template-tokenize.diff patch
     to fix potential privilege escalation caused by unescaped
     meta-characters in path. Thanks to Anders Kaseorg for the
     patch. (Closes: #490921)
   * Bump Standards-Version to 3.8.0
Checksums-Sha1: 
 48c440510d316104004d60aab98c276e1522a337 1140 afuse_0.2-3.dsc
 c01fdb74fc458c780c3181e2f9201a6071181c2d 4411 afuse_0.2-3.diff.gz
 aa36e345f8533add58bb4cfa9300dc83fb894dfe 16514 afuse_0.2-3_i386.deb
Checksums-Sha256: 
 8cdd4f4b0e2fd142ca3cc4a6254b9935d258cc117927767cd52d871269fdc938 1140 afuse_0.2-3.dsc
 1755e5196bfc4b590bb7bb31ff67e225557dedf6ebb202d5a2ec40ba6863ec03 4411 afuse_0.2-3.diff.gz
 138dd5d294df1abd21e2ca402c57bd13f238fcb615e8c1eec61bb6dbc4895594 16514 afuse_0.2-3_i386.deb
Files: 
 7ab98f70e5f076ca4fcd66ecf4d6e6e9 1140 utils optional afuse_0.2-3.dsc
 9da55e79dcd4682a866bccd616cfe911 4411 utils optional afuse_0.2-3.diff.gz
 f1c9159ca9b1f403599873aa41601726 16514 utils optional afuse_0.2-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIfO7wPEFSUMxFMZcRAtQ8AJ4nmeGiuEBEKIv0/gxvcgnElUqJ3ACePnYy
9wzt9UmCfQWlSxY9awSActo=
=+1VA
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Aug 2008 07:29:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 07:30:43 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.