Package: fuse-utils Version: 2.4.0-1 Severity: grave Tags: security Justification: user security hole
Thomas Biege from the SuSE security team discovered that special chars such as "\n", "\t" and "\\" are misinterpreted by fusermount, which could potentially allow a user from the "fuse" group (or whatever group has been chosen) to manipulate mount options. A patch from Miklos Szeredi can be found at http://bugs.gentoo.org/attachment.cgi?id=73173 This has been assigned CVE-2005-3531, please mention it in the changelog when fixing it. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-2-686 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages fuse-utils depends on: ii adduser 3.79 Add and remove users and groups ii debconf [debconf-2.0] 1.4.59 Debian configuration management sy ii libc6 2.3.5-8 GNU C Library: Shared libraries an ii sed 4.1.4-4 The GNU sed stream editor ii ucf 2.003 Update Configuration File: preserv Versions of packages fuse-utils recommends: pn fuse-source <none> (no description available) -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]