Dear release team,
as I already wrote to the mentors list, there is a critical bug in unionfs-
fuse, see below. So far nobody uploaded the package, maybe due to possible
security implications? Or maybe since I also included two other changes?
Main fix: Bug#511995, one byte to few was malloced on converting relative to
absolute pathes, causing a buffer overflow when relative pathes are specified.
Second fix: Bug#511158, move binary to /usr/bin, since it can be used by all
users.
Third fix: Add some details to the man page, that not everything might work as
expected without the option "-ocow".
If the 2nd and 3rd fix are not acceptable for Lenny, please tell me so, I will
then remove these two patches.
On Wednesday 28 January 2009, Bernd Schubert wrote:
> Dear mentors,
>
> I'm looking for a sponsor to upload the new version 0.21-3 of unionfs-fuse
> in order to fix an important bug. There is a one byte buffer overflow
> (bug#511995). I don't think it can be used to compromise security, but
> still, it should be fixed as soon as possible.
>
> It builds these binary packages:
> unionfs-fuse - Fuse implementation of unionfs
>
> The package appears to be lintian clean.
>
> The upload would fix these bugs: 511158, 511995
>
> The package can be found on mentors.debian.net:
> - URL: http://mentors.debian.net/debian/pool/main/u/unionfs-fuse
> - Source repository: deb-src http://mentors.debian.net/debian unstable main
> contrib non-free
> - dget http://mentors.debian.net/debian/pool/main/u/unionfs-fuse/unionfs-
> fuse_0.21-3.dsc
>
> I would be glad if someone uploaded this package for me.
Here is also the debdiff output:
bernd@bathl debian_commit>debdiff 21-2/unionfs-fuse_0.21-2.dsc unionfs-
fuse_0.21-3.dsc
diff -u unionfs-fuse-0.21/debian/changelog unionfs-fuse-0.21/debian/changelog
--- unionfs-fuse-0.21/debian/changelog
+++ unionfs-fuse-0.21/debian/changelog
@@ -1,3 +1,14 @@
+unionfs-fuse (0.21-3) unstable; urgency=high
+
+ * fixes critical buffer overflow on using relativ pathes
+ * slightly improve the man page to tell people without -ocow
+ not everything might work as expected
+ * change binary path from /usr/sbin to /usr/bin
+ * (closes: #511995)
+ * (closes: #511158)
+
+ -- Bernd Schubert <bernd-schubert@gmx.de> Sat, 24 Jan 2009 00:10:44 +0100
+
unionfs-fuse (0.21-2) unstable; urgency=high
* fix a critical bug: creating new files in directories existing only
diff -u unionfs-fuse-0.21/debian/patches/series unionfs-
fuse-0.21/debian/patches/series
--- unionfs-fuse-0.21/debian/patches/series
+++ unionfs-fuse-0.21/debian/patches/series
@@ -2,0 +3,3 @@
+bug511995.patch
+man_cow.patch
+bug511158.patch
only in patch2:
unchanged:
--- unionfs-fuse-0.21.orig/debian/patches/bug511158.patch
+++ unionfs-fuse-0.21/debian/patches/bug511158.patch
@@ -0,0 +1,13 @@
+Change man path from /usr/sbin to /usr/bin as suggested by Raphael Geissert
+in bug #511047.
+
+Index: unionfs-fuse-0.21/src/CMakeLists.txt
+===================================================================
+--- unionfs-fuse-0.21.orig/src/CMakeLists.txt
++++ unionfs-fuse-0.21/src/CMakeLists.txt
+@@ -23,4 +23,4 @@ set(UNIONFS_SRCS unionfs.c stats.c opts.
+ add_executable(unionfs-fuse ${UNIONFS_SRCS} ${HASHTABLE_SRCS})
+ target_link_libraries(unionfs-fuse fuse pthread m rt)
+
+-INSTALL(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/unionfs-fuse DESTINATION sbin)
++INSTALL(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/unionfs-fuse DESTINATION bin)
only in patch2:
unchanged:
--- unionfs-fuse-0.21.orig/debian/patches/man_cow.patch
+++ unionfs-fuse-0.21/debian/patches/man_cow.patch
@@ -0,0 +1,19 @@
+Add another suggestion by Raphael Geissert.
+
+Index: unionfs-fuse-0.21/man/unionfs-fuse.8
+===================================================================
+--- unionfs-fuse-0.21.orig/man/unionfs-fuse.8
++++ unionfs-fuse-0.21/man/unionfs-fuse.8
+@@ -68,7 +68,11 @@ network re-initializations, /etc/mtab, /
+ cron-scripts. This can be easily achieved by creating whiteout files for
+ these scripts in the group meta directory.
+ .SH "KNOWN ISSUES"
+-Presently it is not possible to create a union for /\. This is work in
progress.
++.Vb 5
++\&1) Presently it is not possible to create a union for /\. This is work in
progress.
++\&2) Another issue is that presently there is no support for read-only
branches
++when copy-on-write is disabled, thus, -ocow is NOT specified! Support for
++that might be added in later releases.
+ .SH "AUTHORS"
+ .B unionfs\-fuse
+ Original implemention by Radek Podgorny <radek@podgorny.cz>
only in patch2:
unchanged:
--- unionfs-fuse-0.21.orig/debian/patches/bug511995.patch
+++ unionfs-fuse-0.21/debian/patches/bug511995.patch
@@ -0,0 +1,26 @@
+Fix buffer overflow on using relative pathes, spotted by Raphael Geissert.
+
+/src/opts.c Thu Jan 08 13:35:46 2009 +0100
++++ b/src/opts.c Fri Jan 16 11:50:52 2009 +0100
+@@ -49,9 +49,10 @@
+ return NULL;
+ }
+
+- // 2 due to: +1 for '/' between cwd and relpath
++ // 3 due to: +1 for '/' between cwd and relpath
++ // +1 for trailing '/'
+ // +1 for terminating '\0'
+- int abslen = cwdlen + strlen(relpath) + 2;
++ int abslen = cwdlen + strlen(relpath) + 3;
+ if (abslen > PATHLEN_MAX) {
+ fprintf(stderr, "Absolute path too long!\n");
+ return NULL;
+@@ -65,7 +66,7 @@
+
+ // the terminating '/' is important so that we are sure later on the
+ // directory components are properly seperated
+- sprintf(abspath, "%s/%s/", cwd, relpath);
++ snprintf(abspath, abslen, "%s/%s/", cwd, relpath);
+
+ return abspath;
+ }
Thanks in advance,
Bernd
Attachment:
signature.asc
Description: This is a digitally signed message part.