Branches for Wheezy

Author: Nikolaus Rath
Revision Date: 2014-08-19 20:44:17 UTC

SECURITY UPDATE for CVE-2014-0485 remote code execution vulnerability.

For non-encrypted file systems, an attacker with control over the
communication with the storage backend or the ability to
manipulate the data stored in the backend was able to trigger
execution of arbitrary code by mount.s3ql, fsck.s3ql, mkfs.s3ql
and s3qladm.

Encrypted file systems were protected against this if the attacker
did not know the file system passphrase. Mounting an encrypted
file system prepared by an attacker (which is possible if the
attacker shares the file system passphrase) thus allowed the
attacker to execute arbitrary code even when using encryption.