Bug#906857: stretch-pu: package fuse/2.9.7-1+deb9u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#906857: stretch-pu: package fuse/2.9.7-1+deb9u2
From: László Böszörményi (GCS) <gcs@debian.org>
Date: Tue, 21 Aug 2018 20:07:58 +0200
Message-id: <[🔎] CAKjSHr1r2X_ChRe4Am8Nwbn0LyVm_hQsyAbzQDM8-GBxD1fqFQ@mail.gmail.com>
Reply-to: László Böszörményi (GCS) <gcs@debian.org>, 906857@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi SRMs,

There was a security issue in FUSE (Filesystem in Userspace),
CVE-2018-10906 which was fixed soon. Unfortunately it caused a
regression, autofs and FAT filesystems can not be mounted anymore[1].
Upstream patched these upstream and the fixes were uploaded to Sid and
migrated to Buster.
After talking with the Security Team they noted this is not severe
enough to release the regression fix by them. Hence I ask for
permission of this PU, which whitelist the mentioned filesystems for
Stretch as well.

Debdiff is attached. Thanks for considering,
Laszlo/GCS
[1] https://bugs.debian.org/905366

diff -Nru fuse-2.9.7/debian/changelog fuse-2.9.7/debian/changelog
--- fuse-2.9.7/debian/changelog	2018-07-26 06:39:27.000000000 +0000
+++ fuse-2.9.7/debian/changelog	2018-08-21 17:26:05.000000000 +0000
@@ -1,3 +1,10 @@
+fuse (2.9.7-1+deb9u2) stretch; urgency=medium
+
+  * Whitelist autofs as mountpoint file system.
+  * Whitelist FAT as mountpoint file system (closes: #905366).
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 21 Aug 2018 17:26:05 +0000
+
 fuse (2.9.7-1+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru fuse-2.9.7/debian/patches/0007-Add_autofs_to_mountpoint_file_system_whitelist.patch fuse-2.9.7/debian/patches/0007-Add_autofs_to_mountpoint_file_system_whitelist.patch
--- fuse-2.9.7/debian/patches/0007-Add_autofs_to_mountpoint_file_system_whitelist.patch	1970-01-01 00:00:00.000000000 +0000
+++ fuse-2.9.7/debian/patches/0007-Add_autofs_to_mountpoint_file_system_whitelist.patch	2018-08-21 17:26:05.000000000 +0000
@@ -0,0 +1,32 @@
+From 0ef031bfc08564e7c5920432e13373dcf18dbc63 Mon Sep 17 00:00:00 2001
+From: Robo Shimmer <roboshim@users.noreply.github.com>
+Date: Tue, 31 Jul 2018 16:20:56 +0200
+Subject: [PATCH] Add autofs to mountpoint file system whitelist
+
+---
+ ChangeLog         | 2 ++
+ util/fusermount.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/ChangeLog b/ChangeLog
+index f5d24ca6..2a5168ce 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,5 @@
++* Allow fuse to be mounted into autofs folder hierarchy
++
+ FUSE 2.9.7 (2016-06-20)
+ =======================
+ 
+diff --git a/util/fusermount.c b/util/fusermount.c
+index b8c164dd..2ca75105 100644
+--- a/util/fusermount.c
++++ b/util/fusermount.c
+@@ -1067,6 +1067,7 @@ static int check_perm(const char **mntp, struct stat *stbuf, int *mountpoint_fd)
+ 		0x24051905 /* UBIFS_SUPER_MAGIC */,
+ 		0x58465342 /* XFS_SB_MAGIC */,
+ 		0x2FC12FC1 /* ZFS_SUPER_MAGIC */,
++		0x00000187 /* AUTOFS */,
+ 	};
+ 	for (i = 0; i < sizeof(f_type_whitelist)/sizeof(f_type_whitelist[0]); i++) {
+ 		if (f_type_whitelist[i] == fs_buf.f_type)
diff -Nru fuse-2.9.7/debian/patches/0008-Add_FAT_to_mountpoint_file_system_whitelist.patch fuse-2.9.7/debian/patches/0008-Add_FAT_to_mountpoint_file_system_whitelist.patch
--- fuse-2.9.7/debian/patches/0008-Add_FAT_to_mountpoint_file_system_whitelist.patch	1970-01-01 00:00:00.000000000 +0000
+++ fuse-2.9.7/debian/patches/0008-Add_FAT_to_mountpoint_file_system_whitelist.patch	2018-08-21 17:26:05.000000000 +0000
@@ -0,0 +1,21 @@
+From 9b287377343fd796d359e67de54d477d8084cfcd Mon Sep 17 00:00:00 2001
+From: Benjamin Barenblat <bbaren@google.com>
+Date: Fri, 3 Aug 2018 11:22:37 -0400
+Subject: [PATCH] Add FAT to mountpoint file system whitelist
+
+---
+ util/fusermount.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/util/fusermount.c b/util/fusermount.c
+index 8dce92f6..45b54e3a 100644
+--- a/util/fusermount.c
++++ b/util/fusermount.c
+@@ -1049,6 +1049,7 @@ static int check_perm(const char **mntp, struct stat *stbuf, int *mountpoint_fd)
+ 		0x9123683E /* BTRFS_SUPER_MAGIC */,
+ 		0x00C36400 /* CEPH_SUPER_MAGIC */,
+ 		0xFF534D42 /* CIFS_MAGIC_NUMBER */,
++		0X00004D44 /* MSDOS_SUPER_MAGIC */,
+ 		0x0000F15F /* ECRYPTFS_SUPER_MAGIC */,
+ 		0x0000EF53 /* EXT[234]_SUPER_MAGIC */,
+ 		0xF2F52010 /* F2FS_SUPER_MAGIC */,
diff -Nru fuse-2.9.7/debian/patches/series fuse-2.9.7/debian/patches/series
--- fuse-2.9.7/debian/patches/series	2018-07-26 06:39:27.000000000 +0000
+++ fuse-2.9.7/debian/patches/series	2018-08-21 17:26:05.000000000 +0000
@@ -9,3 +9,5 @@
 CVE-2018-10906/0003-fusermount-bail-out-on-transient-config-read-failure.patch
 CVE-2018-10906/0004-fusermount-refuse-unknown-options.patch
 CVE-2018-10906/0005-fusermount-whitelist-known-good-filesystems-for-moun.patch
+0007-Add_autofs_to_mountpoint_file_system_whitelist.patch
+0008-Add_FAT_to_mountpoint_file_system_whitelist.patch

Reply to:

Follow-Ups:
- Bug#906857: stretch-pu: package fuse/2.9.7-1+deb9u2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#906857: stretch-pu: package fuse/2.9.7-1+deb9u2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: affects 906823
Next by Date: Bug#906912: RM: nukeimage/0.3-12
Previous by thread: Processed: affects 906823
Next by thread: Bug#906857: stretch-pu: package fuse/2.9.7-1+deb9u2
Index(es):
- Date
- Thread