Package: ltspfs Version: 0.5.3-3 Severity: important Tags: security, patch all versions of ltspfs prior to 0.5.14 may allow other users who are in the same group as the user's primary group to read files mounted using ltspfs.
this is fixed upstream with the following patch: http://bazaar.launchpad.net/~ltsp-upstream/ltspfs/ltspfs-trunk/revision/120/src/ltspfs.c === modified file 'src/ltspfs.c' --- src/ltspfs.c 2009-03-06 21:28:04 +0000 +++ src/ltspfs.c 2010-01-12 21:05:47 +0000 @@ -343,6 +343,13 @@ stbuf->st_uid = fc->uid; stbuf->st_gid = fc->gid; + /* + * Also, in order to make sure that all files are umask 700, we'll + * manipulate the st_mode at this point. + */ + + stbuf->st_mode = stbuf->st_mode & (S_IFDIR | S_IFREG | 0700); + if (!xdr_u_longlong_t(&in, &stbuf->st_rdev)) return -EACCES; if (!xdr_longlong_t(&in, &stbuf->st_size)) i haven't yet tested it, but it or a modified version will hopefully work with 0.5.3, as well. live well, vagrant -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
