Debian Bug report logs - #567633
race condition in fusermount

version graph

Package: fuse-utils; Maintainer for fuse-utils is Daniel Baumann <daniel.baumann@progress-technologies.net>; Source for fuse-utils is src:fuse.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sat, 30 Jan 2010 11:12:04 UTC

Severity: grave

Tags: security

Fixed in versions fuse/2.8.1-1.2, fuse/2.7.4-1.1+lenny1, fuse/2.5.3-4.4+etch1

Done: Giuseppe Iuculano <iuculano@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#567633; Package fuse-utils. (Sat, 30 Jan 2010 11:12:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bartosz Fenski <fenio@debian.org>. (Sat, 30 Jan 2010 11:12:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: race condition in fusermount
Date: Sat, 30 Jan 2010 12:11:19 +0100
Package: fuse-utils
Severity: grave
Tags: security

fuse 2.8.2 fixes a race condition if two fusermount -u instances
are run in paralell, which allows local privilege escalation.

This issue was discovered by Dan Rosenberg.

Cheers,
        Moritz


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages fuse-utils depends on:
ii  adduser                       3.112      add and remove users and groups
ii  libc6                         2.10.2-5   Embedded GNU C Library: Shared lib
pn  libfuse2                      <none>     (no description available)
ii  makedev                       2.3.1-89   creates device files in /dev
ii  sed                           4.2.1-6    The GNU sed stream editor
ii  udev                          150-2      /dev/ and hotplug management daemo

fuse-utils recommends no packages.

fuse-utils suggests no packages.




Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#567633; Package fuse-utils. (Sun, 31 Jan 2010 21:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <iuculano@debian.org>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. (Sun, 31 Jan 2010 21:39:07 GMT) Full text and rfc822 format available.

Message #10 received at 567633@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 567633@bugs.debian.org
Subject: NMU
Date: Sun, 31 Jan 2010 22:37:23 +0100
[Message part 1 (text/plain, inline)]
Hi,

Attached is a debdiff of the changes I made for 2.8.1-1.2 0-day NMU.

Cheers,
Giuseppe

[fuse_2.8.1-1.2.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Sun, 31 Jan 2010 22:12:05 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sun, 31 Jan 2010 22:12:05 GMT) Full text and rfc822 format available.

Message #15 received at 567633-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 567633-close@bugs.debian.org
Subject: Bug#567633: fixed in fuse 2.8.1-1.2
Date: Sun, 31 Jan 2010 22:07:49 +0000
Source: fuse
Source-Version: 2.8.1-1.2

We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive:

fuse-utils_2.8.1-1.2_i386.deb
  to main/f/fuse/fuse-utils_2.8.1-1.2_i386.deb
fuse_2.8.1-1.2.diff.gz
  to main/f/fuse/fuse_2.8.1-1.2.diff.gz
fuse_2.8.1-1.2.dsc
  to main/f/fuse/fuse_2.8.1-1.2.dsc
libfuse-dev_2.8.1-1.2_i386.deb
  to main/f/fuse/libfuse-dev_2.8.1-1.2_i386.deb
libfuse2_2.8.1-1.2_i386.deb
  to main/f/fuse/libfuse2_2.8.1-1.2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 567633@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated fuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 31 Jan 2010 22:23:35 +0100
Source: fuse
Binary: fuse-utils libfuse-dev libfuse2
Architecture: source i386
Version: 2.8.1-1.2
Distribution: unstable
Urgency: high
Maintainer: Bartosz Fenski <fenio@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 fuse-utils - Filesystem in USErspace (utilities)
 libfuse-dev - Filesystem in USErspace (development files)
 libfuse2   - Filesystem in USErspace library
Closes: 567633
Changes: 
 fuse (2.8.1-1.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-3297: race condition in fusermount (Closes: #567633)
Checksums-Sha1: 
 7bcc7b9947d4a4e48857d5f8073e09f2ead8036a 1209 fuse_2.8.1-1.2.dsc
 3b199935eb983b3b720b62393530517e0394c024 18137 fuse_2.8.1-1.2.diff.gz
 ea79bf504b11e2fee931173bc4b76aab2a5e676b 18130 fuse-utils_2.8.1-1.2_i386.deb
 64bd17d8df6291a15355789460e3e1a76459f714 178144 libfuse-dev_2.8.1-1.2_i386.deb
 47386b3f29828dc38933c923a8fa4b06f6827421 135750 libfuse2_2.8.1-1.2_i386.deb
Checksums-Sha256: 
 64662c8f6d6b470c0124b123cc905e6676db05c26fbd78e6816c2f07aead2670 1209 fuse_2.8.1-1.2.dsc
 e34d039d03562defc1653bda1a71acc1bbaf567b64a233dfdcbcbc6331566e1a 18137 fuse_2.8.1-1.2.diff.gz
 a3bc5ea3947d8aead9b8ef1cf589996e87d20983934a946d0cc84c05236dba8a 18130 fuse-utils_2.8.1-1.2_i386.deb
 fef5bf0aa8d0a2ea18917f0488c876a4e5d6ba6b2a1ff8ae19b99addbbf0a5c0 178144 libfuse-dev_2.8.1-1.2_i386.deb
 d9e75f9571ae5b37fd1636d3c2b0a8a509fb767dd2c9bbd19675461e4aec0b08 135750 libfuse2_2.8.1-1.2_i386.deb
Files: 
 6c3a00441def3436ea3c4dda28b4c670 1209 libs optional fuse_2.8.1-1.2.dsc
 0bd1165646ead347967a20bb30cd5412 18137 libs optional fuse_2.8.1-1.2.diff.gz
 ad9bc0152474b39589f2e1f1e26de677 18130 utils optional fuse-utils_2.8.1-1.2_i386.deb
 bf64fd3fa1bb7ebb5ea94809fc22ac28 178144 libdevel optional libfuse-dev_2.8.1-1.2_i386.deb
 e1259b984b72e5fd1fcc4d9a9f9e5111 135750 libs optional libfuse2_2.8.1-1.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktl+C8ACgkQNxpp46476ao0lACgnfwTE46uQkkTA687pKBABFXY
4iwAn2xlz50nSXO6OMcYU6MBWM9Pcz0W
=izfX
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Wed, 03 Feb 2010 13:54:05 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Wed, 03 Feb 2010 13:54:05 GMT) Full text and rfc822 format available.

Message #20 received at 567633-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 567633-close@bugs.debian.org
Subject: Bug#567633: fixed in fuse 2.7.4-1.1+lenny1
Date: Wed, 03 Feb 2010 13:52:40 +0000
Source: fuse
Source-Version: 2.7.4-1.1+lenny1

We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive:

fuse-utils_2.7.4-1.1+lenny1_i386.deb
  to main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_i386.deb
fuse_2.7.4-1.1+lenny1.diff.gz
  to main/f/fuse/fuse_2.7.4-1.1+lenny1.diff.gz
fuse_2.7.4-1.1+lenny1.dsc
  to main/f/fuse/fuse_2.7.4-1.1+lenny1.dsc
libfuse-dev_2.7.4-1.1+lenny1_i386.deb
  to main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_i386.deb
libfuse2_2.7.4-1.1+lenny1_i386.deb
  to main/f/fuse/libfuse2_2.7.4-1.1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 567633@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated fuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 31 Jan 2010 23:12:19 +0100
Source: fuse
Binary: fuse-utils libfuse-dev libfuse2
Architecture: source i386
Version: 2.7.4-1.1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Bartosz Fenski <fenio@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 fuse-utils - Filesystem in USErspace (utilities)
 libfuse-dev - Filesystem in USErspace (development files)
 libfuse2   - Filesystem in USErspace library
Closes: 567633
Changes: 
 fuse (2.7.4-1.1+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-3297: race condition in fusermount (Closes: #567633)
Checksums-Sha1: 
 a894c7aa5d1e2add5729fb51b99f476fab34a63d 1171 fuse_2.7.4-1.1+lenny1.dsc
 7a86f5cf39f38e64ccbae093599d64a895b950ba 506658 fuse_2.7.4.orig.tar.gz
 75d3afb85eec0665b50dd2794d166598d06850c4 16066 fuse_2.7.4-1.1+lenny1.diff.gz
 ec95e23e06cc7d996d7ae5994064fcf505601a5d 17894 fuse-utils_2.7.4-1.1+lenny1_i386.deb
 999968079e2527c4b4fde7e4f9866ab883e69576 155244 libfuse-dev_2.7.4-1.1+lenny1_i386.deb
 5c9a4729ddbb2540d255210648f6205e1f78d7c0 124622 libfuse2_2.7.4-1.1+lenny1_i386.deb
Checksums-Sha256: 
 e9a52d51a75aba25788075ba6f4267cd9590e984d50d28d47d620f6b68b58e66 1171 fuse_2.7.4-1.1+lenny1.dsc
 c8b070ece5d4e09bd06eea6c28818c718f803d93a4b85bacb9982deb8ded49e6 506658 fuse_2.7.4.orig.tar.gz
 9b3bf867995f76438a157d33d2f12ce25daa1365b0d08d2f360223eb7d54c428 16066 fuse_2.7.4-1.1+lenny1.diff.gz
 355ac7c0c258f1035cfe19d01b62a0f916af8341d8b6b8e5288f997e096d1f0f 17894 fuse-utils_2.7.4-1.1+lenny1_i386.deb
 202cdafb6b40048bcaa85c8bf789696758497300aabffeaeaf6625fe37b000c1 155244 libfuse-dev_2.7.4-1.1+lenny1_i386.deb
 e85fda37a49c7a05d9363d04d18a87d9bbc6d6f67372a8d9d05fe04ad75f0c31 124622 libfuse2_2.7.4-1.1+lenny1_i386.deb
Files: 
 889cfc800cd72828730f8bcbd9c777d9 1171 libs optional fuse_2.7.4-1.1+lenny1.dsc
 4879f06570d2225667534c37fea04213 506658 libs optional fuse_2.7.4.orig.tar.gz
 f3a61d6fc003f1a2bf3ea9430f2c9a70 16066 libs optional fuse_2.7.4-1.1+lenny1.diff.gz
 fc0807ee515177aec7ebf4e90cd28262 17894 utils optional fuse-utils_2.7.4-1.1+lenny1_i386.deb
 1d33eb00f1912b128fa225e4032e6272 155244 libdevel optional libfuse-dev_2.7.4-1.1+lenny1_i386.deb
 443691cc6cff7d375d3e58fc6ef7b6d0 124622 libs optional libfuse2_2.7.4-1.1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktmk/cACgkQNxpp46476apTBwCdENfa7beHYimQ/CpUbMxBJw6E
nhsAn1k6qUnexXcpsR1mp3d3KvXj87Pi
=hLYk
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Thu, 18 Feb 2010 07:54:07 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Thu, 18 Feb 2010 07:54:07 GMT) Full text and rfc822 format available.

Message #25 received at 567633-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 567633-close@bugs.debian.org
Subject: Bug#567633: fixed in fuse 2.5.3-4.4+etch1
Date: Thu, 18 Feb 2010 07:53:24 +0000
Source: fuse
Source-Version: 2.5.3-4.4+etch1

We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive:

fuse-utils_2.5.3-4.4+etch1_i386.deb
  to main/f/fuse/fuse-utils_2.5.3-4.4+etch1_i386.deb
fuse_2.5.3-4.4+etch1.diff.gz
  to main/f/fuse/fuse_2.5.3-4.4+etch1.diff.gz
fuse_2.5.3-4.4+etch1.dsc
  to main/f/fuse/fuse_2.5.3-4.4+etch1.dsc
libfuse-dev_2.5.3-4.4+etch1_i386.deb
  to main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_i386.deb
libfuse2_2.5.3-4.4+etch1_i386.deb
  to main/f/fuse/libfuse2_2.5.3-4.4+etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 567633@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated fuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 01 Feb 2010 22:49:29 +0100
Source: fuse
Binary: libfuse2 libfuse-dev fuse-utils
Architecture: source i386
Version: 2.5.3-4.4+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Bartosz Fenski <fenio@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 fuse-utils - Filesystem in USErspace (utilities)
 libfuse-dev - Filesystem in USErspace (development files)
 libfuse2   - Filesystem in USErspace library
Closes: 567633
Changes: 
 fuse (2.5.3-4.4+etch1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Backported upstream patch to fix CVE-2009-3297 (Closes: #567633)
Files: 
 5886da280cc253c8ec2c04f5423238ee 627 libs optional fuse_2.5.3-4.4+etch1.dsc
 9c7e8b6606b9f158ae20b8521ba2867c 409443 libs optional fuse_2.5.3.orig.tar.gz
 884b1f0d8646b121d133bb62a42e23c3 11785 libs optional fuse_2.5.3-4.4+etch1.diff.gz
 cfd1cee4477d2636b8b522a25310c984 58368 utils optional fuse-utils_2.5.3-4.4+etch1_i386.deb
 c692a6cb705c58ff1cea736f51bec18c 94356 libdevel optional libfuse-dev_2.5.3-4.4+etch1_i386.deb
 55537e1c0561f86fff06f0a1319098de 50812 libs optional libfuse2_2.5.3-4.4+etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktnTw8ACgkQNxpp46476apHQwCeIB3KsUlRTh5BG155GGGl+B06
/joAoIfylsmlXn4SZhxY15zaGtCP8F8k
=GczE
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:35:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 15:36:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.