I believe these are the patches Debian-LTS used:
https://bugzilla.redhat.com/attachment.cgi?id=1079000&action=diff
https://bugzilla.redhat.com/attachment.cgi?id=1078987&action=diff

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated fuseiso package fixes security vulnerabilities:

An integer overflow, leading to a heap-based buffer overflow flaw was found
in the way FuseISO, a FUSE module to mount ISO filesystem images, performed
reading of certain ZF blocks of particular inodes. A remote attacker could
provide a specially-crafted ISO file that, when mounted via the fuseiso tool
would lead to fuseiso binary crash.

A stack-based buffer overflow flaw was found in the way FuseISO, a FUSE module
to mount ISO filesystem images, performed expanding of directory portions for
absolute path filename entries. A remote attacker could provide a
specially-crafted ISO file that, when mounted via fuseiso tool would lead to
fuseiso binary crash or, potentially, arbitrary code execution with the
privileges of the user running the fuseiso executable. This issue was
discovered by Florian Weimer of Red Hat Product Security Team. The issue got
resolved by checking the resulting length of an absolute path name and by
bailing out if the platform's PATH_MAX value gets exceeded.

References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779047
http://lwn.net/Alerts/658923/
========================

Updated packages in core/updates_testing:
========================
fuseiso-20070708-11.1.mga5

from fuseiso-20070708-11.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO => (none)

MGA-5 on HP Probook 6555b KDE
No installation issues.
I downloaded the deep-tree.iso as per Redhat bug 862211.
Tried first fuseiso-20070708-11.mga5 (previous version) with this iso and then the update.
Could not see any different behavior between the two: both mount a very deep hierarchy of maps with very long "XXXXXX..........." names which I could travel down in dolphin.
at the CLI "echo $PATH_MAX" just results in a blanco line, so I am not sure what this means for the checks in fuseiso????
I cannot find anything wrong with this update, but does it resolve something? Someone with more knowledge than me to judge.

CC: (none) => herman.viaene

Created attachment 7127 [details]
test iso

BTW: Ark seems to extract the iso OK, but when then closing Ark, it crashes.

As suggested by David in the weekly meeting I tried:
[tester5@mach5 Downloads]$ fuseiso -p deep-tree.iso.gz ./isotest
only 0 bytes read from position 32768, 2048 required; is it really supported file?
[tester5@mach5 Downloads]$ 
That does not seem to work, so the update does not break anything, but whether it resolves the problem is beyond me.

Does fuseiso support compressed ISOs or do you need to decompress it first?

from the man page:
fuseiso provides a module to mount ISO filesystem images using FUSE.
With FUSE it is possible to implement a fully functional filesystem in a userspace program.
fuseiso can read ISO, BIN and NRG images containing ISO9660 filesystems. Along with it, it supports some common extensions, like Joliet, RockRidge and zisofs.
It also supports non-standard images, like CloneCD's IMGs and Alcohol 120%'s MDFs, as their format looks exactly like BIN images. One major limitation of BIN images is that fuseiso does not handle CUE files in any way, and thus can only work with the first track of those images.
Other formats like CCD and MDS are not supported, since their format is not public and no one knows it.  

I've never used it before???

It doesn't say anything about compressed ISOs, so decompress it first with gunzip.

About to try this on x64 real hardware. I summarise what seem to be the important references for testing:

https://bugzilla.redhat.com/show_bug.cgi?id=861358  -> a test ISO:
https://bugzilla.redhat.com/attachment.cgi?id=1078999
"To trigger this, a program has to attempt to open and read the "zeros" file in the ISO image."

https://bugzilla.redhat.com/show_bug.cgi?id=862211  -> a test ISO:
https://bugzilla.redhat.com/attachment.cgi?id=1078998
"The reproducer requires reading the directory to trigger.  Invoking "find" on the mountpoint is sufficient to achieve that."

I agree with Comment 8 that the test ISOs.gz should be UNzipped first.

CC: (none) => lewyssmith

Testing Mageia5 x64 [cont]

More info needed than above. After installing it, I got:
 # man fuseiso
 No manual entry for fuseiso
 $ fuseiso [-h]
 Usage: fuseiso [-n] [-p] [-c <iocharset>] [-h] <isofs_image_file> <mount_point>
 [<FUSE library options>]
 ...
 Please consult with FUSE ducumentation for more information
So, /usr/share/doc/fuseiso/README the important additional info here being:
Usage:
    fuseiso [<options>] <image_file> <mountpoint> [<FUSE library options>]
mounts image, while fusermount shipped with FUSE library can be used to unmount:
    fusermount -u <mountpoint>
how to UNmount the image.

BEFORE the update:
$ mkdir fuseiso

$ fuseiso zf-overflow.iso fuseiso/
$ ls -l fuseiso/
-rw-rw-r-- 1 1000 lewis 1048576 Med  28  2012 zeros

$ cp fuseiso/zeros [to a valid place *outside* the mounted ISO]
I messed up this test with an invalid destination; followers please do better.
This was supposed to be followed by 'cmp' of the two files...

$ hexedit fuseiso/zeros
just showed screens of nothing. Both attempts to read the file thus inconclusive.

$ fusermount -u fuseiso/
$ fuseiso deep-tree.iso fuseiso/
$ ls -l fuseiso/
drwxrwxr-x 1 1000 lewis 2048 Hyd   2  2012 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/

$ tree fuseiso/
produced loads of valid looking nested output of directories named as above, ending in:
40 directories, 0 files

$ find fuseiso
did not work, complaining of something (evidence disappeared).

AFTER the update to fuseiso-20070708-11.1.mga5 :
$ cp fuseiso/zeros .
cp: error reading âfuseiso/zerosâ: Input/output error
cp: failed to extend â./zerosâ: Input/output error
[This may also have been the pre-update result].

$ hexedit fuseiso/zeros
Again just loads of screens with blank data. This file read tests inconclusive.

With the deep-tree.iso mounted:
$ find fuseiso/
yielded correct output this time; and followed by:
$ tree fuseiso/
which gave the same correct output as before.

Conclusion: before/after tests with the zf-overflow.iso zeros file looked the same, but if someone can do a better job of copying it *before* the update...;
with the deep-tree.iso , I think the after result was better. I think that pre-update, one pass of it (tree) messed up something that stopped the subsequent 'find' from working, which did not happen post-update. No reversion => OK.

Whiteboard: advisory => advisory MGA5-64-OK

Re-testing x64 to clarify earlier results Comment 10.
This time I kept the output from each test in its own terminal tab, to avoid loss of output due to too-long scrolling.

With the Zeros test iso
----------------------
$ fuseiso zf-overflow.iso fuseiso/
$ ls -l fuseiso/
-rw-rw-r-- 1 1000 lewis 1048576 Med  28  2012 zeros

Before update:
$ cp fuseiso/zeros .
cp: error reading âfuseiso/zerosâ: Input/output error
cp: failed to extend â./zerosâ: Input/output error
$ ls -l
-rw-r--r-- 1 lewis lewis 983040 Hyd  16 20:35 deep-tree.iso
dr-xr-xr-x 1 root  root    2048 Med  28  2012 fuseiso/
-rw-r--r-- 1 lewis lewis      0 Hyd  17 08:58 zeros
-rw-r--r-- 1 lewis lewis 360448 Hyd  16 20:35 zf-overflow.iso
The cp failed, but created a zero-length destination file before doing so.
$ rm zeros
rm: remove regular empty file âzerosâ? y
$ strings fuseiso/zeros
Seemed to work.

After update: all results identical. Tests inconclusive, but *no* reversion.

With the Deep-tree test iso
--------------------------
$ fuseiso deep-tree.iso fuseiso/
$ ls -l fuseiso/
total 1
drwxrwxr-x 1 1000 lewis 2048 Hyd   2  2012 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/

Before update:
$ find fuseiso/
produced a lot of output ending in "find: failed to read file names from file system at or below âfuseisoâ: Transport endpoint is not connected".
$ tree fuseiso/
fuseiso/ [error opening dir]
0 directories, 0 files
Re-mounting the ISO and reversing the two commands:
$ tree fuseiso/
gave a lot of valid output ending in "40 directories, 0 files".
$ find fuseiso/
find: âfuseiso/â: Transport endpoint is not connected
So it looks as if the act of traversing the mounted ISO messed up something.

After update:
Both commands 'find' & 'tree' successively in either order worked without errors. A definite improvement.

These re-tests confirm more sanely the previous ones, and the OK.

Before and after for zf-overflow, I also get:
$ cat test/zeros
cat: test/zeros: Input/output error

but no crash, and it sounds like the real problem isn't possible on Intel architectures from the rhbz comment, so I think we're OK there.

For deep-tree, besides all the X's, before with find I get:
find: failed to read file names from file system at or below âtestâ: Transport endpoint is not connected

and after, there's no error.  Looks good to me.  Mageia 5 i586.

Whiteboard: advisory MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

To David Comment 8 : I mentioned Ark in Comment 4 that I used Ark (to decompress). My Comment 5 was triggered by Dave Hodgins' suggestion that fuseiso would be able to handle compressed iso's. Quod non.
Anyway, repeated test on MGA5-32 with fuseiso-20070708-11.mga5 (supposed to show the problem?)
but at CLI
$ fuseiso -p deep-tree.iso /media/disk/
and
$ tree /media/disk/
/media/disk/
âââ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

at the end: 40 directories, 0 files
so I cannot reproduce the problem there and the updated fuseiso-20070708-1-1.mga5 has no adverse effects

(In reply to Herman Viaene from comment #13)
> To David Comment 8 : I mentioned Ark in Comment 4 that I used Ark (to
> decompress). My Comment 5 was triggered by Dave Hodgins' suggestion that
> fuseiso would be able to handle compressed iso's. Quod non.

Just to clarify, I was asking why ark was being used, as the iso file should
NOT be compressed. Poor communication on my part.

Validating this update

Keywords: (none) => validated_update
CC: (none) => wilcal.int, sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0406.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

CVEs have finally been assigned for this:
http://openwall.com/lists/oss-security/2016/03/30/1

Advisory:
========================

Updated fuseiso package fixes security vulnerabilities:

An integer overflow, leading to a heap-based buffer overflow flaw was found
in the way FuseISO, a FUSE module to mount ISO filesystem images, performed
reading of certain ZF blocks of particular inodes. A remote attacker could
provide a specially-crafted ISO file that, when mounted via the fuseiso tool
would lead to fuseiso binary crash (CVE-2015-8836).

A stack-based buffer overflow flaw was found in the way FuseISO, a FUSE module
to mount ISO filesystem images, performed expanding of directory portions for
absolute path filename entries. A remote attacker could provide a
specially-crafted ISO file that, when mounted via fuseiso tool would lead to
fuseiso binary crash or, potentially, arbitrary code execution with the
privileges of the user running the fuseiso executable. This issue was
discovered by Florian Weimer of Red Hat Product Security Team. The issue got
resolved by checking the resulting length of an absolute path name and by
bailing out if the platform's PATH_MAX value gets exceeded (CVE-2015-8837).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8836
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8837
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779047
http://lwn.net/Alerts/658923/
http://openwall.com/lists/oss-security/2016/03/30/1

Summary: fuseiso new buffer overflow security issues => fuseiso new buffer overflow security issues (CVE-2015-883[67])