Patch: CVE-2008-2232: privilege escalation

Brought to you by: cjiph

#1 Patch: CVE-2008-2232: privilege escalation

Status: open

Owner: nobody

Labels: None

Priority: 9

Updated: 2008-08-20

Created: 2008-08-20

Creator: Anders Kaseorg

Private: No

afuse is vulnerable to a local privilege escalation because the expand_template function passes metacharacters from the pathname unescaped to the shell. This issue is tracked as CVE-2008-2232:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2232

I submitted a patch to the Debian security team, and they released fixed packages:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490921
However, the vulnerability is still present in your current release and Subversion trunk.

The patch is available from the above Debian bug report, and I have also attached it here.

Discussion

Anders Kaseorg - 2008-08-20

afuse-template-tokenize.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anders Kaseorg - 2008-08-20

priority: 5 --> 9
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Patch: CVE-2008-2232: privilege escalation

Group

Searches

Help

#1 Patch: CVE-2008-2232: privilege escalation

Discussion