Dear Adam, > It would be more helpful if you checked, before filing grave bugs on > packages.
I apologize for my laziness. I do not normally use fuse. Maybe I could set up a test machine, but (unless succeeded in the exploit) would not properly know whether Debian was safe. I thought it was better to warn now, than leave blissfully vulnerable. > This sounds very much like CVE-2009-3297, which has been fixed in > unstable, testing and stable since February (see DSA-1989-1). The page http://www.debian.org/security/2010/dsa-1989 refers to http://bugs.debian.org/567633 which says: a race condition if two fusermount -u instances are run in paralell so that does not seem to be the same issue. The page http://security-tracker.debian.org/tracker/DSA-1989-1 points to http://security-tracker.debian.org/tracker/CVE-2010-0789 which mentions "a symlink attack", which may be closer to this issue. I would expect DSA-1989 to have been adopted and fixed by Ubuntu, where the original poster says he found the issue. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
