Your message dated Sat, 10 Nov 2018 10:42:56 +0000
with message-id <1541846576.3542.38.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.6
has caused the Debian Bug report #907386,
regarding stretch-pu: package libcgroup/0.41-8
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
907386: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907386
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Dear release team,
I would like to update libcgroup in Stretch which is affected by
CVE-2018-14348. The security team has marked this issue as no-dsa.
Please find attached the debdiff. See also
https://bugs.debian.org/906308.
Regards,
Markus
diff -Nru libcgroup-0.41/debian/changelog libcgroup-0.41/debian/changelog
--- libcgroup-0.41/debian/changelog 2016-04-24 18:51:45.000000000 +0200
+++ libcgroup-0.41/debian/changelog 2018-08-19 23:10:45.000000000 +0200
@@ -1,3 +1,13 @@
+libcgroup (0.41-8+deb9u1) stretch; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2018-14348:
+ The cgrulesengd daemon in libcgroup creates log files with world readable
+ and writable permissions due to a reset of the file mode creation mask
+ (umask(0)). (Closes: #906308)
+
+ -- Markus Koschany <a...@debian.org> Sun, 19 Aug 2018 23:10:45 +0200
+
libcgroup (0.41-8) unstable; urgency=medium
* Drop package libcgroup-dbg in favor of automatic dbgsym packages.
diff -Nru libcgroup-0.41/debian/patches/CVE-2018-14348.patch
libcgroup-0.41/debian/patches/CVE-2018-14348.patch
--- libcgroup-0.41/debian/patches/CVE-2018-14348.patch 1970-01-01
01:00:00.000000000 +0100
+++ libcgroup-0.41/debian/patches/CVE-2018-14348.patch 2018-08-19
23:10:45.000000000 +0200
@@ -0,0 +1,23 @@
+From: Markus Koschany <a...@debian.org>
+Date: Sun, 19 Aug 2018 23:09:25 +0200
+Subject: CVE-2018-14348
+
+Bug-Debian: https://bugs.debian.org/906308
+Origin:
https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590/
+---
+ src/daemon/cgrulesengd.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
+index 367b898..ffd1fc3 100644
+--- a/src/daemon/cgrulesengd.c
++++ b/src/daemon/cgrulesengd.c
+@@ -886,8 +886,6 @@ int cgre_start_daemon(const char *logp, const int logf,
+ exit(EXIT_SUCCESS);
+ }
+
+- /* Change the file mode mask. */
+- umask(0);
+ } else {
+ flog(LOG_DEBUG, "Not using daemon mode\n");
+ pid = getpid();
diff -Nru libcgroup-0.41/debian/patches/series
libcgroup-0.41/debian/patches/series
--- libcgroup-0.41/debian/patches/series 2016-04-24 18:51:45.000000000
+0200
+++ libcgroup-0.41/debian/patches/series 2018-08-19 23:10:45.000000000
+0200
@@ -4,3 +4,4 @@
initscript-return.patch
Syntax-fixes-for-man-pages.patch
pam_cgroup-Revert-broken-cache-usage.patch
+CVE-2018-14348.patch
--- End Message ---
--- Begin Message ---
Version: 9.6
Hi,
The update referenced by each of these bugs was included in this
morning's stretch point release.
Regards,
Adam
--- End Message ---
