Debian Bug report logs - #490921
CVE-2008-2232: privilege escalation

version graph

Package: afuse; Maintainer for afuse is Varun Hiremath <>; Source for afuse is src:afuse.

Reported by: Steffen Joeris <>

Date: Tue, 15 Jul 2008 11:07:01 UTC

Severity: grave

Tags: security

Found in version afuse/0.2-2

Fixed in version afuse/0.2-3

Done: Varun Hiremath <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Debian Security Team <>, Debian Testing Security Team <>, Varun Hiremath <>:
Bug#490921; Package afuse. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <>:
New Bug report received and forwarded. Copy sent to Debian Security Team <>, Debian Testing Security Team <>, Varun Hiremath <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Steffen Joeris <>
To: Debian Bug Tracking System <>
Subject: CVE-2008-2232: privilege escalation
Date: Tue, 15 Jul 2008 21:05:19 +1000
[Message part 1 (text/plain, inline)]
Package: afuse
Version: 0.2-2
Severity: grave
Tags: security
Justification: user security hole


A privilege escalation has been reported against afuse.
This issue is CVE-2008-2232.

Here is some additional information:

afuse accepts a command line of the form
  afuse /path -o mount_template="mount-script %m %r" \
      unmount_template="unmount-script %m %r"
It replaces %m with the mountpoint and %r with the next component of the
pathname being accessed.  These interpolated strings are inserted inside
double quotes, but metacharacters within them are not escaped.  The
resulting string is then passed to system() and executed by the shell.

Therefore, an attacker with read access to the afuse filesystem can gain
the privileges of its owner, using paths such as
  /path/";arbitrary command;"
  /path/`arbitrary command`

The patch attached is from the original is from the original reporter
Anders Kaseorg, please honour him in the changelog.

When you fix this issue, please mention the CVE id in your changelog.

[afuse-template-tokenize.patch (text/x-c++, attachment)]

Reply sent to Varun Hiremath <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Varun Hiremath <>
Subject: Bug#490921: fixed in afuse 0.2-3
Date: Tue, 15 Jul 2008 18:47:02 +0000
Source: afuse
Source-Version: 0.2-3

We believe that the bug you reported is fixed in the latest version of
afuse, which is due to be installed in the Debian FTP archive:

  to pool/main/a/afuse/afuse_0.2-3.diff.gz
  to pool/main/a/afuse/afuse_0.2-3.dsc
  to pool/main/a/afuse/afuse_0.2-3_i386.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Varun Hiremath <> (supplier of updated afuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.8
Date: Wed, 16 Jul 2008 00:06:59 +0530
Source: afuse
Binary: afuse
Architecture: source i386
Version: 0.2-3
Distribution: unstable
Urgency: high
Maintainer: Varun Hiremath <>
Changed-By: Varun Hiremath <>
 afuse      - automounting file system implemented in user-space using FUSE
Closes: 490921
 afuse (0.2-3) unstable; urgency=high
   * Security fix for CVE-2008-2232: Add afuse-template-tokenize.diff patch
     to fix potential privilege escalation caused by unescaped
     meta-characters in path. Thanks to Anders Kaseorg for the
     patch. (Closes: #490921)
   * Bump Standards-Version to 3.8.0
 48c440510d316104004d60aab98c276e1522a337 1140 afuse_0.2-3.dsc
 c01fdb74fc458c780c3181e2f9201a6071181c2d 4411 afuse_0.2-3.diff.gz
 aa36e345f8533add58bb4cfa9300dc83fb894dfe 16514 afuse_0.2-3_i386.deb
 8cdd4f4b0e2fd142ca3cc4a6254b9935d258cc117927767cd52d871269fdc938 1140 afuse_0.2-3.dsc
 1755e5196bfc4b590bb7bb31ff67e225557dedf6ebb202d5a2ec40ba6863ec03 4411 afuse_0.2-3.diff.gz
 138dd5d294df1abd21e2ca402c57bd13f238fcb615e8c1eec61bb6dbc4895594 16514 afuse_0.2-3_i386.deb
 7ab98f70e5f076ca4fcd66ecf4d6e6e9 1140 utils optional afuse_0.2-3.dsc
 9da55e79dcd4682a866bccd616cfe911 4411 utils optional afuse_0.2-3.diff.gz
 f1c9159ca9b1f403599873aa41601726 16514 utils optional afuse_0.2-3_i386.deb

Version: GnuPG v1.4.6 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Sun, 24 Aug 2008 07:29:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Wed Apr 23 18:59:26 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.