Steffen Joeris
2008-Jul-15 11:05 UTC
[Secure-testing-team] Bug#490921: CVE-2008-2232: privilege escalation
Package: afuse
Version: 0.2-2
Severity: grave
Tags: security
Justification: user security hole
Hi
A privilege escalation has been reported against afuse.
This issue is CVE-2008-2232.
Here is some additional information:
afuse accepts a command line of the form
afuse /path -o mount_template="mount-script %m %r" \
unmount_template="unmount-script %m %r"
It replaces %m with the mountpoint and %r with the next component of the
pathname being accessed. These interpolated strings are inserted inside
double quotes, but metacharacters within them are not escaped. The
resulting string is then passed to system() and executed by the shell.
Therefore, an attacker with read access to the afuse filesystem can gain
the privileges of its owner, using paths such as
/path/";arbitrary command;"
/path/`arbitrary command`
The patch attached is from the original is from the original reporter
Anders Kaseorg, please honour him in the changelog.
When you fix this issue, please mention the CVE id in your changelog.
Cheers
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: afuse-template-tokenize.patch
Type: text/x-c++
Size: 5085 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080715/8687564d/attachment.bin