On Sat, 2009-01-31 at 18:53 +0100, Bernd Schubert wrote: > Dear release team, > > as I already wrote to the mentors list, there is a critical bug in unionfs- > fuse, see below. So far nobody uploaded the package, maybe due to possible > security implications? Or maybe since I also included two other changes? > > Main fix: Bug#511995, one byte to few was malloced on converting relative to > absolute pathes, causing a buffer overflow when relative pathes are specified. [...] unionfs-fuse is not installed with the setuid bit set, so this doesn't allow privilege escalation. And users should not be passing untrusted strings to it, so it doesn't allow compromising an ordinary user account. So, not a security flaw so far as I can see. But it obviously ought to be fixed. Ben. -- Ben Hutchings Usenet is essentially a HUGE group of people passing notes in class. - Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'
Description: This is a digitally signed message part