Re: CVE-2018-10380: kwallet-pam: Access to privileged files
On Wed, May 09, 2018 at 10:30:32PM +0200, Maximiliano Curia wrote: > ¡Hola Moritz! > > El 2018-05-09 a las 20:28 +0200, Moritz Mühlenhoff escribió: > >On Fri, May 04, 2018 at 09:10:47PM +0200, Maximiliano Curia wrote: > >>¡Hola Moritz! > > >>El 2018-05-03 a las 23:18 +0200, Maximiliano Curia escribió: > >>>¡Hola Moritz! > > >>>El 2018-05-03 a las 22:56 +0200, Moritz Muehlenhoff escribió: > On Thu, May 03, 2018 at 07:29:42PM +0200, Maximiliano Curia wrote: > >Hi, > > >Following up the upstream announcement of a security flaw in > >kwallet-pam [1] I would like to upload the upstream fixes to > >stretch. All the versions prior the (not yet released) 5.12.6 are > >affected by this. The fix was backported by upstream to plasma 5.8, > >which is what we shipped in stretch. > > >The latest 5.8 upstream version (5.8.9), only has a version bump, > >and a minor translation update, which are not relevant. [2] > > >I have already uploaded the fixes to unstable. > > >I'm attaching the corresponding debdiff. > > Looks good. Please build with -sa since kwallet-pam is new in > stretch-security > and upload to security-master. I'll take care of the DSA. > > >>>Uploaded, thanks for taking care of this! > > >>If you the patched versions are still not published, please don't publish > >>them, there are a couple of reported regressions with the patches as is. > > >>https://bugs.kde.org/show_bug.cgi?id=393856 > > >>https://bugs.debian.org/897687 > > >>https://bugs.launchpad.net/ubuntu/+source/kwallet-pam/+bug/1769187 > > >>https://bugs.archlinux.org/task/58446?project=1=kwallet-pam > > >>I'm really sorry about this. > > >Is the stderr fix all that was needed in addition? If so, can you > >upload a revised package? > > Reuploaded, I used the same version, let me know if you prefer/need a version > bump. > > Thanks for working on this. Please bump the version, resetting the build status of an existing build for the security mirrors is a fairly brittle process... Cheers, Moritz
Re: CVE-2018-10380: kwallet-pam: Access to privileged files
¡Hola Moritz! El 2018-05-09 a las 20:28 +0200, Moritz Mühlenhoff escribió: On Fri, May 04, 2018 at 09:10:47PM +0200, Maximiliano Curia wrote: ¡Hola Moritz! El 2018-05-03 a las 23:18 +0200, Maximiliano Curia escribió: ¡Hola Moritz! El 2018-05-03 a las 22:56 +0200, Moritz Muehlenhoff escribió: On Thu, May 03, 2018 at 07:29:42PM +0200, Maximiliano Curia wrote: Hi, Following up the upstream announcement of a security flaw in kwallet-pam [1] I would like to upload the upstream fixes to stretch. All the versions prior the (not yet released) 5.12.6 are affected by this. The fix was backported by upstream to plasma 5.8, which is what we shipped in stretch. The latest 5.8 upstream version (5.8.9), only has a version bump, and a minor translation update, which are not relevant. [2] I have already uploaded the fixes to unstable. I'm attaching the corresponding debdiff. Looks good. Please build with -sa since kwallet-pam is new in stretch-security and upload to security-master. I'll take care of the DSA. Uploaded, thanks for taking care of this! If you the patched versions are still not published, please don't publish them, there are a couple of reported regressions with the patches as is. https://bugs.kde.org/show_bug.cgi?id=393856 https://bugs.debian.org/897687 https://bugs.launchpad.net/ubuntu/+source/kwallet-pam/+bug/1769187 https://bugs.archlinux.org/task/58446?project=1=kwallet-pam I'm really sorry about this. Is the stderr fix all that was needed in addition? If so, can you upload a revised package? Reuploaded, I used the same version, let me know if you prefer/need a version bump. Thanks for working on this. Happy hacking, -- Se necesitan voluntarios para dominar el mundo. Saludos /\/\ /\ >< `/ signature.asc Description: PGP signature
Re: CVE-2018-10380: kwallet-pam: Access to privileged files
On Fri, May 04, 2018 at 09:10:47PM +0200, Maximiliano Curia wrote: > ¡Hola Moritz! > > El 2018-05-03 a las 23:18 +0200, Maximiliano Curia escribió: > > ¡Hola Moritz! > > > El 2018-05-03 a las 22:56 +0200, Moritz Muehlenhoff escribió: > > > On Thu, May 03, 2018 at 07:29:42PM +0200, Maximiliano Curia wrote: > > > > Hi, > > > > > Following up the upstream announcement of a security flaw in > > > > kwallet-pam [1] I would like to upload the upstream fixes to > > > > stretch. All the versions prior the (not yet released) 5.12.6 are > > > > affected by this. The fix was backported by upstream to plasma 5.8, > > > > which is what we shipped in stretch. > > > > > The latest 5.8 upstream version (5.8.9), only has a version bump, > > > > and a minor translation update, which are not relevant. [2] > > > > > I have already uploaded the fixes to unstable. > > > > > I'm attaching the corresponding debdiff. > > > > Looks good. Please build with -sa since kwallet-pam is new in > > > stretch-security > > > and upload to security-master. I'll take care of the DSA. > > > Uploaded, thanks for taking care of this! > > If you the patched versions are still not published, please don't publish > them, there are a couple of reported regressions with the patches as is. > > https://bugs.kde.org/show_bug.cgi?id=393856 > > https://bugs.debian.org/897687 > > https://bugs.launchpad.net/ubuntu/+source/kwallet-pam/+bug/1769187 > > https://bugs.archlinux.org/task/58446?project=1=kwallet-pam > > I'm really sorry about this. Is the stderr fix all that was needed in addition? If so, can you upload a revised package? Cheers, Moritz
Re: CVE-2018-10380: kwallet-pam: Access to privileged files
On Fri, May 04, 2018 at 09:10:47PM +0200, Maximiliano Curia wrote: > ¡Hola Moritz! > > El 2018-05-03 a las 23:18 +0200, Maximiliano Curia escribió: > > ¡Hola Moritz! > > > El 2018-05-03 a las 22:56 +0200, Moritz Muehlenhoff escribió: > > > On Thu, May 03, 2018 at 07:29:42PM +0200, Maximiliano Curia wrote: > > > > Hi, > > > > > Following up the upstream announcement of a security flaw in > > > > kwallet-pam [1] I would like to upload the upstream fixes to > > > > stretch. All the versions prior the (not yet released) 5.12.6 are > > > > affected by this. The fix was backported by upstream to plasma 5.8, > > > > which is what we shipped in stretch. > > > > > The latest 5.8 upstream version (5.8.9), only has a version bump, > > > > and a minor translation update, which are not relevant. [2] > > > > > I have already uploaded the fixes to unstable. > > > > > I'm attaching the corresponding debdiff. > > > > Looks good. Please build with -sa since kwallet-pam is new in > > > stretch-security > > > and upload to security-master. I'll take care of the DSA. > > > Uploaded, thanks for taking care of this! > > If you the patched versions are still not published, please don't publish > them, there are a couple of reported regressions with the patches as is. > > https://bugs.kde.org/show_bug.cgi?id=393856 > > https://bugs.debian.org/897687 > > https://bugs.launchpad.net/ubuntu/+source/kwallet-pam/+bug/1769187 > > https://bugs.archlinux.org/task/58446?project=1=kwallet-pam > > I'm really sorry about this. That's great timing :-) I was about to test and release the update this evening, but I'll put in on hold for now. Cheers, Moritz
Re: CVE-2018-10380: kwallet-pam: Access to privileged files
¡Hola Moritz! El 2018-05-03 a las 23:18 +0200, Maximiliano Curia escribió: ¡Hola Moritz! El 2018-05-03 a las 22:56 +0200, Moritz Muehlenhoff escribió: On Thu, May 03, 2018 at 07:29:42PM +0200, Maximiliano Curia wrote: Hi, Following up the upstream announcement of a security flaw in kwallet-pam [1] I would like to upload the upstream fixes to stretch. All the versions prior the (not yet released) 5.12.6 are affected by this. The fix was backported by upstream to plasma 5.8, which is what we shipped in stretch. The latest 5.8 upstream version (5.8.9), only has a version bump, and a minor translation update, which are not relevant. [2] I have already uploaded the fixes to unstable. I'm attaching the corresponding debdiff. Looks good. Please build with -sa since kwallet-pam is new in stretch-security and upload to security-master. I'll take care of the DSA. Uploaded, thanks for taking care of this! If you the patched versions are still not published, please don't publish them, there are a couple of reported regressions with the patches as is. https://bugs.kde.org/show_bug.cgi?id=393856 https://bugs.debian.org/897687 https://bugs.launchpad.net/ubuntu/+source/kwallet-pam/+bug/1769187 https://bugs.archlinux.org/task/58446?project=1=kwallet-pam I'm really sorry about this. Happy hacking, -- "The sooner you start to code, the longer the program will take." -- Roy Carlson Saludos /\/\ /\ >< `/ signature.asc Description: PGP signature
Re: CVE-2018-10380: kwallet-pam: Access to privileged files
¡Hola Moritz! El 2018-05-03 a las 22:56 +0200, Moritz Muehlenhoff escribió: On Thu, May 03, 2018 at 07:29:42PM +0200, Maximiliano Curia wrote: Hi, Following up the upstream announcement of a security flaw in kwallet-pam [1] I would like to upload the upstream fixes to stretch. All the versions prior the (not yet released) 5.12.6 are affected by this. The fix was backported by upstream to plasma 5.8, which is what we shipped in stretch. The latest 5.8 upstream version (5.8.9), only has a version bump, and a minor translation update, which are not relevant. [2] I have already uploaded the fixes to unstable. I'm attaching the corresponding debdiff. Looks good. Please build with -sa since kwallet-pam is new in stretch-security and upload to security-master. I'll take care of the DSA. Uploaded, thanks for taking care of this! Happy hacking, -- "La duración de un minuto depende de que lado del baño estés." -- Ley de la Relatividad (Burke) Saludos /\/\ /\ >< `/ signature.asc Description: PGP signature
Re: CVE-2018-10380: kwallet-pam: Access to privileged files
On Thu, May 03, 2018 at 07:29:42PM +0200, Maximiliano Curia wrote: > Hi, > > Following up the upstream announcement of a security flaw in > kwallet-pam [1] I would like to upload the upstream fixes to > stretch. All the versions prior the (not yet released) 5.12.6 are > affected by this. The fix was backported by upstream to plasma 5.8, > which is what we shipped in stretch. > > The latest 5.8 upstream version (5.8.9), only has a version bump, > and a minor translation update, which are not relevant. [2] > > I have already uploaded the fixes to unstable. > > I'm attaching the corresponding debdiff. Looks good. Please build with -sa since kwallet-pam is new in stretch-security and upload to security-master. I'll take care of the DSA. Cheers, Moritz