severity 725357 normal retitle 725357 CVE-2013-4392: TOCTOU race condition when updating file permissions and SELinux security contexts thanks
On Fri, Oct 04, 2013 at 03:41:54PM +0200, Moritz Muehlenhoff wrote: > Package: systemd > Severity: grave > Tags: security > > Four security issues have been discovered in systemd by Florian Weimer: > > CVE-2013-4394 [systemd: Improper sanitization of invalid XKB layouts > descriptions] > https://bugzilla.redhat.com/show_bug.cgi?id=862324 > http://cgit.freedesktop.org/systemd/systemd/commit/?id=0b507b17a760b21e33fc52ff377db6aa5086c680 Fixed in 204-5 and 44-11+deb7u4 > CVE-2013-4393 [systemd: Possibility of denial of logging service by > processing native messages from file] > https://bugzilla.redhat.com/show_bug.cgi?id=859104 > http://cgit.freedesktop.org/systemd/systemd/commit/?id=1dfa7e79a60de680086b1d93fcc3629b463f58bd Fixed in 204-5 and 44-11+deb7u4 > CVE-2013-4392 [systemd: TOCTOU race condition when updating file permissions > and SELinux security contexts] > https://bugzilla.redhat.com/show_bug.cgi?id=859060 > No upstream fix is available, but we don't support /etc/tmpfiles.d anyway We do use the tmpfiles mechanism in systemd, but the combination of both selinux and systemd is very unlikely. > CVE-2013-4391 [systemd: Integer overflow, leading to heap-based buffer > overflow by processing native messages] > https://bugzilla.redhat.com/show_bug.cgi?id=859051 > http://cgit.freedesktop.org/systemd/systemd/commit/?id=505b6a61c22d5565e9308045c7b9bf79f7d0517e Fixed in 204-5 and 44-11+deb7u4 Seeing that all issues aside CVE-2013-4392 are already fixed in sid and the likelyhood to hit CVE-2013-4392 is very minimal, I'm downgrading the severity to normal and retitle the bug accordingly. Michael
signature.asc
Description: Digital signature

