On Thu, Apr 28, 2022 at 01:53:58PM +0200, Salvatore Bonaccorso wrote: > Source: networkd-dispatcher > Version: 2.1-2 > Severity: grave > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerabilities were published for networkd-dispatcher. > > CVE-2022-29799[0] and CVE-2022-29800[1]. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
I do not believe these are vulnerabilities. Microsoft claims a vulnerability exists if there is vulnerable code running under the systemd-network user, and claims that apt and epmd run under such user, but neither has communicated how those processes are vulnerable, nor why they would run under that user. It's likely that their tool is a confused deputy, running on a system with broken containers where container _apt and epmd users are mapped to the same UID as the host systemd-network (which still would not give them access to the bus), or it's a FUD smear campaign. Microsoft also claims that a vulnerability exists if scripts are writable by the user, however the directory is owned by root, so any scripts in there had to be written there by root. As such, that is a local admin choice to allow that user to run code as root. By the same argument, the code would have to check that any parent directory of the scripts is not writable by non-root users. The proposed fix also would not address this problem in the context of ACLs, as it only checks owner user and group, and mode, but not whether any ACLs are granted. Hence if that were really a bug, it's still not fixed. I can prepare a security update for this if people want it, but I do not believe in the existence of these bugs or that the fixes address them in a meaningful way. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
signature.asc
Description: PGP signature
