Bug#311634: marked as done (libfuse2: leaking previous memory contents to unprivileged users)

Mon, 06 Jun 2005 04:54:28 -0700 

Your message dated Mon, 06 Jun 2005 07:32:36 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#311634: fixed in fuse 2.3.0-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Jun 2005 11:08:21 +0000
>From [EMAIL PROTECTED] Thu Jun 02 04:08:21 2005
Return-path: <[EMAIL PROTECTED]>
Received: from on.debian.linux.org.pl (localhost.localdomain) [80.48.213.222] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DdnYi-0000XD-00; Thu, 02 Jun 2005 04:08:21 -0700
Received: by localhost.localdomain (Postfix, from userid 1000)
        id 2C072F7E55; Thu,  2 Jun 2005 13:08:17 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Bartosz Fenski aka fEnIo <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: libfuse2: leaking previous memory contents to unprivileged users
X-Mailer: reportbug 3.12
Date: Thu, 02 Jun 2005 13:08:17 +0200
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: libfuse2
Severity: critical
Justification: root security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's quote from upstream's mail:

Here's a new major version of FUSE:

  http://prdownloads.sourceforge.net/fuse/fuse-2.3.0.tar.gz

It contains an important security fix that prevents leaking previous
memory contents to unprivileged users (thanks to Sven Tantau for the
report).  So if you are running a previous version of FUSE on a system
with untrusted users, upgrading is recommended.

regards
fEnIo

- -- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-2-686
Locale: LANG=pl_PL, LC_CTYPE=pl_PL (charmap=ISO-8859-2)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCnuihhQui3hP+/EARAiT8AKCYlLB4+7yPGNRSPcpzP0TGhSt8hgCgn/+o
LNZEk0d9cGkwcaQzABcybkE=
=gD0q
-----END PGP SIGNATURE-----

---------------------------------------
Received: (at 311634-close) by bugs.debian.org; 6 Jun 2005 11:38:14 +0000
>From [EMAIL PROTECTED] Mon Jun 06 04:38:14 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DfFvq-0006fC-00; Mon, 06 Jun 2005 04:38:14 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
        id 1DfFqO-00009P-00; Mon, 06 Jun 2005 07:32:36 -0400
From: Bartosz Fenski <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#311634: fixed in fuse 2.3.0-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 06 Jun 2005 07:32:36 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: fuse
Source-Version: 2.3.0-1

We believe that the bug you reported is fixed in the latest version of
fuse, which is due to be installed in the Debian FTP archive:

fuse-source_2.3.0-1_all.deb
  to pool/main/f/fuse/fuse-source_2.3.0-1_all.deb
fuse-utils_2.3.0-1_i386.deb
  to pool/main/f/fuse/fuse-utils_2.3.0-1_i386.deb
fuse_2.3.0-1.diff.gz
  to pool/main/f/fuse/fuse_2.3.0-1.diff.gz
fuse_2.3.0-1.dsc
  to pool/main/f/fuse/fuse_2.3.0-1.dsc
fuse_2.3.0.orig.tar.gz
  to pool/main/f/fuse/fuse_2.3.0.orig.tar.gz
libfuse-dev_2.3.0-1_i386.deb
  to pool/main/f/fuse/libfuse-dev_2.3.0-1_i386.deb
libfuse2_2.3.0-1_i386.deb
  to pool/main/f/fuse/libfuse2_2.3.0-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bartosz Fenski <[EMAIL PROTECTED]> (supplier of updated fuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  6 Jun 2005 13:01:12 +0200
Source: fuse
Binary: libfuse2 libfuse-dev fuse-utils fuse-source
Architecture: source i386 all
Version: 2.3.0-1
Distribution: unstable
Urgency: high
Maintainer: Bartosz Fenski <[EMAIL PROTECTED]>
Changed-By: Bartosz Fenski <[EMAIL PROTECTED]>
Description: 
 fuse-source - Filesystem in USErspace (source for kernel module)
 fuse-utils - Filesystem in USErspace (utilities)
 libfuse-dev - Filesystem in USErspace (development files)
 libfuse2   - Filesystem in USErspace library
Closes: 311634 311750
Changes: 
 fuse (2.3.0-1) unstable; urgency=high
 .
   * New upstream version.
     - fixes security bug (Closes: #311634)
   * Added Vietnamese debconf translation by Clytie Siddall (Closes: #311750)
Files: 
 be3eefaf76205fa94dd53d9668ec8a46 626 libs optional fuse_2.3.0-1.dsc
 0bee98df5b2a29841f75fc188975eabc 365847 libs optional fuse_2.3.0.orig.tar.gz
 14944c2ef7ba25deaee8ce54bb66008a 11091 libs optional fuse_2.3.0-1.diff.gz
 f980ca85bd4ed619cfc8e001b398d07b 42874 utils optional 
fuse-utils_2.3.0-1_i386.deb
 8c4cf4e9ca30ef1c69cbfb82cd38202a 58250 libdevel optional 
libfuse-dev_2.3.0-1_i386.deb
 3194c8c62182570387e2e2a0b0cfa302 35776 libs optional libfuse2_2.3.0-1_i386.deb
 a5e48ab3fa0be000693f40fc9a089e98 83692 utils optional 
fuse-source_2.3.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCpC50hQui3hP+/EARAgfIAKDPJFq4qB7rmQDenadshZo2TWrzhACfQN+n
kgz8Iew305o6L9pWWcX8zAY=
=EfUb
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to