Hi Clayton (CC), what is the story there? I don't believe any of those MS reports are actually (important) security issues, also why was this being disclosed publicly rather than responsibly?
The fixes for the alleged permission issue also only handles one parent directory and classic permissions, but not any other (grand)parents or ACLs. On Tue, May 03, 2022 at 01:21:12PM +0200, Julian Andres Klode wrote: > On Thu, Apr 28, 2022 at 01:53:58PM +0200, Salvatore Bonaccorso wrote: > > Source: networkd-dispatcher > > Version: 2.1-2 > > Severity: grave > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerabilities were published for networkd-dispatcher. > > > > CVE-2022-29799[0] and CVE-2022-29800[1]. > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > I do not believe these are vulnerabilities. Microsoft claims a > vulnerability exists if there is vulnerable code running under > the systemd-network user, and claims that apt and epmd run under > such user, but neither has communicated how those processes are > vulnerable, nor why they would run under that user. > > It's likely that their tool is a confused deputy, running on a > system with broken containers where container _apt and epmd > users are mapped to the same UID as the host systemd-network > (which still would not give them access to the bus), or it's > a FUD smear campaign. > > Microsoft also claims that a vulnerability exists if scripts > are writable by the user, however the directory is owned by > root, so any scripts in there had to be written there by > root. As such, that is a local admin choice to allow that > user to run code as root. > > By the same argument, the code would have to check that any > parent directory of the scripts is not writable by non-root > users. > > The proposed fix also would not address this problem in the > context of ACLs, as it only checks owner user and group, > and mode, but not whether any ACLs are granted. Hence if that > were really a bug, it's still not fixed. > > I can prepare a security update for this if people want it, > but I do not believe in the existence of these bugs or that > the fixes address them in a meaningful way. > > -- > debian developer - deb.li/jak | jak-linux.org - free software dev > ubuntu core developer i speak de, en -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
signature.asc
Description: PGP signature
