Dear release team, as I already wrote to the mentors list, there is a critical bug in unionfs- fuse, see below. So far nobody uploaded the package, maybe due to possible security implications? Or maybe since I also included two other changes? Main fix: Bug#511995, one byte to few was malloced on converting relative to absolute pathes, causing a buffer overflow when relative pathes are specified. Second fix: Bug#511158, move binary to /usr/bin, since it can be used by all users. Third fix: Add some details to the man page, that not everything might work as expected without the option "-ocow". If the 2nd and 3rd fix are not acceptable for Lenny, please tell me so, I will then remove these two patches. On Wednesday 28 January 2009, Bernd Schubert wrote: > Dear mentors, > > I'm looking for a sponsor to upload the new version 0.21-3 of unionfs-fuse > in order to fix an important bug. There is a one byte buffer overflow > (bug#511995). I don't think it can be used to compromise security, but > still, it should be fixed as soon as possible. > > It builds these binary packages: > unionfs-fuse - Fuse implementation of unionfs > > The package appears to be lintian clean. > > The upload would fix these bugs: 511158, 511995 > > The package can be found on mentors.debian.net: > - URL: http://mentors.debian.net/debian/pool/main/u/unionfs-fuse > - Source repository: deb-src http://mentors.debian.net/debian unstable main > contrib non-free > - dget http://mentors.debian.net/debian/pool/main/u/unionfs-fuse/unionfs- > fuse_0.21-3.dsc > > I would be glad if someone uploaded this package for me. Here is also the debdiff output: bernd@bathl debian_commit>debdiff 21-2/unionfs-fuse_0.21-2.dsc unionfs- fuse_0.21-3.dsc diff -u unionfs-fuse-0.21/debian/changelog unionfs-fuse-0.21/debian/changelog --- unionfs-fuse-0.21/debian/changelog +++ unionfs-fuse-0.21/debian/changelog @@ -1,3 +1,14 @@ +unionfs-fuse (0.21-3) unstable; urgency=high + + * fixes critical buffer overflow on using relativ pathes + * slightly improve the man page to tell people without -ocow + not everything might work as expected + * change binary path from /usr/sbin to /usr/bin + * (closes: #511995) + * (closes: #511158) + + -- Bernd Schubert <bernd-schubert@gmx.de> Sat, 24 Jan 2009 00:10:44 +0100 + unionfs-fuse (0.21-2) unstable; urgency=high * fix a critical bug: creating new files in directories existing only diff -u unionfs-fuse-0.21/debian/patches/series unionfs- fuse-0.21/debian/patches/series --- unionfs-fuse-0.21/debian/patches/series +++ unionfs-fuse-0.21/debian/patches/series @@ -2,0 +3,3 @@ +bug511995.patch +man_cow.patch +bug511158.patch only in patch2: unchanged: --- unionfs-fuse-0.21.orig/debian/patches/bug511158.patch +++ unionfs-fuse-0.21/debian/patches/bug511158.patch @@ -0,0 +1,13 @@ +Change man path from /usr/sbin to /usr/bin as suggested by Raphael Geissert +in bug #511047. + +Index: unionfs-fuse-0.21/src/CMakeLists.txt +=================================================================== +--- unionfs-fuse-0.21.orig/src/CMakeLists.txt ++++ unionfs-fuse-0.21/src/CMakeLists.txt +@@ -23,4 +23,4 @@ set(UNIONFS_SRCS unionfs.c stats.c opts. + add_executable(unionfs-fuse ${UNIONFS_SRCS} ${HASHTABLE_SRCS}) + target_link_libraries(unionfs-fuse fuse pthread m rt) + +-INSTALL(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/unionfs-fuse DESTINATION sbin) ++INSTALL(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/unionfs-fuse DESTINATION bin) only in patch2: unchanged: --- unionfs-fuse-0.21.orig/debian/patches/man_cow.patch +++ unionfs-fuse-0.21/debian/patches/man_cow.patch @@ -0,0 +1,19 @@ +Add another suggestion by Raphael Geissert. + +Index: unionfs-fuse-0.21/man/unionfs-fuse.8 +=================================================================== +--- unionfs-fuse-0.21.orig/man/unionfs-fuse.8 ++++ unionfs-fuse-0.21/man/unionfs-fuse.8 +@@ -68,7 +68,11 @@ network re-initializations, /etc/mtab, / + cron-scripts. This can be easily achieved by creating whiteout files for + these scripts in the group meta directory. + .SH "KNOWN ISSUES" +-Presently it is not possible to create a union for /\. This is work in progress. ++.Vb 5 ++\&1) Presently it is not possible to create a union for /\. This is work in progress. ++\&2) Another issue is that presently there is no support for read-only branches ++when copy-on-write is disabled, thus, -ocow is NOT specified! Support for ++that might be added in later releases. + .SH "AUTHORS" + .B unionfs\-fuse + Original implemention by Radek Podgorny <radek@podgorny.cz> only in patch2: unchanged: --- unionfs-fuse-0.21.orig/debian/patches/bug511995.patch +++ unionfs-fuse-0.21/debian/patches/bug511995.patch @@ -0,0 +1,26 @@ +Fix buffer overflow on using relative pathes, spotted by Raphael Geissert. + +/src/opts.c Thu Jan 08 13:35:46 2009 +0100 ++++ b/src/opts.c Fri Jan 16 11:50:52 2009 +0100 +@@ -49,9 +49,10 @@ + return NULL; + } + +- // 2 due to: +1 for '/' between cwd and relpath ++ // 3 due to: +1 for '/' between cwd and relpath ++ // +1 for trailing '/' + // +1 for terminating '\0' +- int abslen = cwdlen + strlen(relpath) + 2; ++ int abslen = cwdlen + strlen(relpath) + 3; + if (abslen > PATHLEN_MAX) { + fprintf(stderr, "Absolute path too long!\n"); + return NULL; +@@ -65,7 +66,7 @@ + + // the terminating '/' is important so that we are sure later on the + // directory components are properly seperated +- sprintf(abspath, "%s/%s/", cwd, relpath); ++ snprintf(abspath, abslen, "%s/%s/", cwd, relpath); + + return abspath; + } Thanks in advance, Bernd
Attachment:
signature.asc
Description: This is a digitally signed message part.