BUGTRAQ ID: 30245
CVE(CAN) ID: CVE-2008-2232
Afuse是使用FUSE在用户域实现的自动加载文件系统。
Afuse没有正确地过滤文件名便将其用在了system()调用中。如果能够读访问afuse文件系统的攻击者使用了类似于以下的路径的话:
/path/";arbitrary command;"
/path/arbitrary command
则从注册为Afuse加载的目录请求上述特制文件就会导致以提升的权限执行任意命令。
Debian已经为此发布了一个安全公告(DSA-1611-1)以及相应补丁:
DSA-1611-1:New afuse packages fix privilege escalation
链接:<a href=“http://www.debian.org/security/2008/dsa-1611” target=“_blank”>http://www.debian.org/security/2008/dsa-1611</a>
补丁下载:
Source archives:
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1.diff.gz” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1.diff.gz</a>
Size/MD5 checksum: 3699 645246f8f338b76b6d6785fff9997c5a
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1.dsc” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1.dsc</a>
Size/MD5 checksum: 657 fe408099626f3bad3bc68d2717df2a9b
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1.orig.tar.gz” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1.orig.tar.gz</a>
Size/MD5 checksum: 98171 95cce7d6ed8e984d0ff2d650e6beb167
alpha architecture (DEC Alpha)
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_alpha.deb” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_alpha.deb</a>
Size/MD5 checksum: 15476 465baebb172ecda5ed1e7bdd174fddac
amd64 architecture (AMD x86_64 (AMD64))
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_amd64.deb” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_amd64.deb</a>
Size/MD5 checksum: 14224 5e5dca72cb191bf0d435f770c62e07f5
arm architecture (ARM)
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_arm.deb” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_arm.deb</a>
Size/MD5 checksum: 12448 f39bc75bceec2e8979a514bda07164d6
hppa architecture (HP PA RISC)
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_hppa.deb” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_hppa.deb</a>
Size/MD5 checksum: 14602 603022ee85f781d0c8c155936d432484
i386 architecture (Intel ia32)
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_i386.deb” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_i386.deb</a>
Size/MD5 checksum: 13086 b422ac9cb737dd1fb7827eb6ea222bba
ia64 architecture (Intel ia64)
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_ia64.deb” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_ia64.deb</a>
Size/MD5 checksum: 17730 9fc41e69a8df1ddee15831b971ededb1
mips architecture (MIPS (Big Endian))
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_mips.deb” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_mips.deb</a>
Size/MD5 checksum: 14232 69ebaa63e04dd9a16ad8ff5a772dc576
mipsel architecture (MIPS (Little Endian))
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_mipsel.deb” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_mipsel.deb</a>
Size/MD5 checksum: 14282 9dabd8530851c9588c4927f53cf923d2
powerpc architecture (PowerPC)
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_powerpc.deb” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_powerpc.deb</a>
Size/MD5 checksum: 13582 c6c86e8600353b4ff4ed66c9608fd7d0
s390 architecture (IBM S/390)
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_s390.deb” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_s390.deb</a>
Size/MD5 checksum: 14154 b36cc8bab5a28d13430a18697bb4b85c
sparc architecture (Sun SPARC/UltraSPARC)
<a href=“http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_sparc.deb” target=“_blank”>http://security.debian.org/pool/updates/main/a/afuse/afuse_0.1.1-1+etch1_sparc.deb</a>
Size/MD5 checksum: 12562 ff0fd7531cc011d032f74c78ae17ca0e
补丁安装方法:
首先,使用下面的命令来下载补丁软件:
然后,使用下面的命令来安装补丁:
使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
然后,使用下面的命令安装更新软件包: