502300 is a security bug (SUID permission is 755 instead of 700 during installation)
tags 502300 + security
tags 502300 + patch
tags 398254 - security
thanks
Sorry it was 502300 and not 398254 (lack of coffee)
Le vendredi 2 janvier 2009, Bastien ROUCARIES a écrit :
> tags 398254 + security
> tags 398254 + patch
> thanks
>
> >The postinst of fuse-utils creates the group fuse and sets the
> >permissions of fusermount to root:fuse 4754. Before that happens,
> >fusermount has the permissions specified in the deb, namely root:root
> >4755. Thus, during the installation of fuse, any user can mount a
> >FUSE filesystem without needing membership in group fuse.
>
> I belive it is a security bug, non allowed user could use fuse.
> Do not raise priority because it will only allow a user to do something mad on his own account, and race windows is tiny.
>
> Patch is simple please apply (NMU candidate?)
>
> Regards
>
> Bastien
--
"ROUCARIÈS Bastien"
roucaries.bastien+debian@gmail.com
-------------------------------------------------------------------------------
DO NOT WRITE TO roucaries.bastien+blackhole@gmail.com OR BE BLACKLISTED
Reply to: