Bug#989049: debspawn: privilege escalation via uid reuse

Hi, On Tue, May 25, 2021 at 06:46:33PM +0200, Matthias Klumpp wrote: > Am Di., 25. Mai 2021 um 13:21 Uhr schrieb Salvatore Bonaccorso > : > > [...] > > > > > > Can you please elaborate on why you reopened this issue? I believe it > > > has indeed been addressed with version 0.4.2-1, there is no mo

Bug#989049: debspawn: privilege escalation via uid reuse

Am Di., 25. Mai 2021 um 13:21 Uhr schrieb Salvatore Bonaccorso : > [...] > > > > Can you please elaborate on why you reopened this issue? I believe it > > has indeed been addressed with version 0.4.2-1, there is no more uid > > reuse for the build user and Debspawn will pick a free uid that is not

Bug#989049: debspawn: privilege escalation via uid reuse

Hi, On Tue, May 25, 2021 at 10:32:36AM +0200, Matthias Klumpp wrote: > Hi Salvatore! > > Am Di., 25. Mai 2021 um 06:51 Uhr schrieb Debian Bug Tracking System > : > > > > Processing commands for cont...@bugs.debian.org: > > > > > found 989049 0.4.2-1 > > Bug #989049 {Done: Matthias Klumpp } [debsp

Bug#989049: debspawn: privilege escalation via uid reuse

Hi Salvatore! Am Di., 25. Mai 2021 um 06:51 Uhr schrieb Debian Bug Tracking System : > > Processing commands for cont...@bugs.debian.org: > > > found 989049 0.4.2-1 > Bug #989049 {Done: Matthias Klumpp } [debspawn] debspawn: > privilege escalation via uid reuse > There is no source info for the p

Bug#989049: debspawn: privilege escalation via uid reuse

Package: debspawn Severity: serious Justification: security hole Tags: security When building a package using debspawn, it dynamically allocates a system user that is used to perform the build. Since system users are allocated sequentially, the chosen uid is very likely to collide with a uid outsi