Debian Patches
Status for sshfs-fuse/3.7.3-1.2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| add-contain_symlinks-option-to-prevent-symlink-escap.patch | add contain_symlinks option to prevent symlink escape attacks A malicious SFTP server can return symlink targets that the local kernel VFS resolves outside the mount root, enabling local file reads or writes through ordinary operations like cp following a symlink. Add a contain_symlinks option (default on) that rejects absolute symlink targets and any target containing a `..` component, returning EPERM. Users who need legacy pass-through for trusted servers can opt out with -o no_contain_symlinks. The check is purely lexical and deliberately strict: in an adversarial filesystem the server controls intermediate path components, so any non-`..` component could be a symlink anywhere, making lexical depth tracking unreliable. Rejecting absolute and any `..` is the simplest rule that is provably complete against the threat model. transform_symlinks composes poorly with containment because transformed results often contain `..`; a warning is emitted when both are enabled. Tests cover default-on containment (readlink + open/stat traversal), opt-out behavior, transform_symlinks interaction (both arms), and option precedence. |
Abhinav Agarwal <abhinavagarwal1996@gmail.com> | yes | debian upstream | https://github.com/libfuse/sshfs/commit/bcd132f17ccf1b8592a229df797c9b08883fec26 | 2026-05-17 |
| reject-hostname-option-injection-via-bracketed-mount.patch | reject hostname option injection via bracketed mount source A source like [-oProxyCommand=CMD]:/path passes the bracket-parsing check in find_base_path() and ends up as -oProxyCommand=CMD in the ssh argv. When sftp_server is a path, ssh gets a destination argument and executes the injected ProxyCommand before connecting. Reject hostnames starting with - after bracket stripping, and add -- before the hostname in the ssh command line so positional args can't be misread as options. |
Abhinav Agarwal <abhinavagarwal1996@gmail.com> | yes | debian upstream | https://github.com/libfuse/sshfs/commit/29bb565ea6405e2dd5a0ea65fe64da117e76055e | 2026-05-29 |
All known versions for source package 'sshfs-fuse'
- 3.7.3-1.2 (sid)
- 3.7.3-1.2~deb13u1 (trixie-proposed-updates)
- 3.7.3-1.2~deb12u1 (bookworm-proposed-updates)
- 3.7.3-1.1 (trixie, bookworm, forky)