PROBLEM: | It was discovered that afuse, an automounting file system in user-space, did not properly escape meta characters in paths. This allowed a local attacker with read access to the file system to execute commands as the owner of the file system. |
PLATFORM: | Debian GNU/Linux 4.0 (etch) |
DAMAGE: | Privilege escalation. |
SOLUTION: | Upgrade to the appropriate version. |
VULNERABILITY ASSESSMENT: |
The risk is LOW. This allows a local attacker with read access to the file system to execute commands as the owner of the file system. |
CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR: |
4.3 3.6 (AV:L/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:OF/RC:C) |
LINKS: | |
CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/s-370.shtml |
ORIGINAL BULLETIN: | http://www.debian.org/security/2008/dsa-1611 |
CVE: | CVE-2008-2232 |
[***** Start Debian Security Advisory DSA-1611-1 *****]
Anders Kaseorg discovered that afuse, an automounting file system in user-space, did not properly escape meta characters in paths. This allowed a local attacker with read access to the filesystem to execute commands as the owner of the filesystem.
For the stable distribution (etch), this problem has been fixed in version 0.1.1-1+etch1.
For the unstable distribution (sid), this problem has been fixed in version 0.2-3.
We recommend that you upgrade your afuse (0.1.1-1+etch1) package.
MD5 checksums of the listed files are available in the original advisory.
[***** End Debian Security Advisory DSA-1611-1 *****]
Voice: +1 925-422-8193 (7 x 24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org