Secure testing team - Jan 2010 - Bug#567633: race condition in fusermount

Package: fuse-utils
Severity: grave
Tags: security

fuse 2.8.2 fixes a race condition if two fusermount -u instances
are run in paralell, which allows local privilege escalation.

This issue was discovered by Dan Rosenberg.

Cheers,
        Moritz


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, ''unstable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages fuse-utils depends on:
ii  adduser                       3.112      add and remove users and groups
ii  libc6                         2.10.2-5   Embedded GNU C Library: Shared lib
pn  libfuse2                      <none>     (no description available)
ii  makedev                       2.3.1-89   creates device files in /dev
ii  sed                           4.2.1-6    The GNU sed stream editor
ii  udev                          150-2      /dev/ and hotplug management daemo

fuse-utils recommends no packages.

fuse-utils suggests no packages.