Control: tags -1 confirmed Salvatore Bonaccorso: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Hi > > Please unblock package eject > > Ilja Van Sprundel discovered that the dmcrypt-get-device helper used to > check if a given device is an encrypted device handled by devmapper, and used > in eject, does not check return values from setuid() and setgid() when > dropping > privileges. It is not clear if that can be used to execute code as root, since > all what comes after dropping privileges should be actually from trusted > source. But we wanted to be rather sure and released a DSA for eject. > > Attached is the debdiff against the version in testing. > > unblock eject/2.1.5+deb1+cvs20081104-13.2 > > Regards, > Salvatore > > [...]
Ok with me; CC'ing KiBi for a d-i ack. Thanks, ~Niels
