Debian and Ubuntu have issued advisories on May 21: https://www.debian.org/security/2015/dsa-3266 http://www.ubuntu.com/usn/usn-2617-1/ They both also noted that ntfs-3g can be affected: http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-3202 https://www.debian.org/security/2015/dsa-3268 But that's only if it's built with an internal fuse, which ours is not. Patches checked into Mageia 4 and Cauldron SVN. Freeze push requested. Reproducible: Steps to Reproduce:
More details on this issue are here: https://marc.info/?l=oss-security&m=143222736930704&w=2
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated fuse packages fix security vulnerability: Tavis Ormandy discovered that FUSE incorrectly filtered environment variables. A local attacker could use this issue to gain administrative privileges (CVE-2015-3202). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3202 http://www.ubuntu.com/usn/usn-2617-1/ ======================== Updated packages in core/updates_testing: ======================== fuse-2.9.3-2.1.mga4 libfuse-devel-2.9.3-2.1.mga4 libfuse2-2.9.3-2.1.mga4 libfuse-static-devel-2.9.3-2.1.mga4 from fuse-2.9.3-2.1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
URL: (none) => http://lwn.net/Vulnerabilities/645632/
Advisory uploaded.
Whiteboard: (none) => advisory
Testing complete mga4 64 Used sshfs-fuse to test. It uses ssh to mount a remote filesystem somewhere in userland. Helps to have passwordless login configured, but not necessary. Mounted and unmounted a remote filesystem.. $ ls test2 $ sshfs cctv: test2/ Syntax is sshfs <host>:<path> <mount point> $ ls test2 depcheck* Documents/ Pictures/ tmp/ Desktop/ Downloads/ Music/ Templates/ Videos/ $ fusermount -u test2 $ ls test2 $
Whiteboard: advisory => has_procedure advisory mga4-64-ok
Testing complete mga4 32 Validating. Please push to 4 updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0239.html
Status: NEW => RESOLVEDResolution: (none) => FIXED