Hi. I will fix unstable today but I don't know how to learn again to fix the old releases in a timely maner between so many things to handle at home and work.
Forking from old git tags and pasting the same new postinst over ? So for this part help will be welcome. Greets, Le mer. 8 sept. 2021 à 07:21, Martin-Éric Racine <martin-eric.rac...@iki.fi> a écrit : > su 5. syysk. 2021 klo 18.41 Salvatore Bonaccorso (car...@debian.org) > kirjoitti: > > > > Control: clone 992748 -1 > > Control: retitle -1 systemd-cron: CVE-2017-9525: group crontab to root > escalation via postinst > > Control: severity -1 important > > Control: found -1 1.5.16-1 > > Control: found -1 1.5.14-2 > > Control: tags 992748 - security > > > > Hi Chris, > > > > On Sun, Sep 05, 2021 at 02:49:40PM +0200, Chris Hofstaedtler wrote: > > > Control: tags -1 + security > > > > > > * Alexandre Detiste <alexandre.deti...@gmail.com> [210905 12:47]: > > > > Le lun. 23 août 2021 à 04:57, Martin-Éric Racine > > > > <martin-eric.rac...@iki.fi> a écrit : > > > > > Setting up systemd-cron (1.5.17-1) ... > > > > > xargs: warning: options --max-args and --replace/-I/-i are > mutually exclusive, ignoring previous --max-args value > > > > > Thanks. > > > > > > > > This was copy-pasted from src:cron, which must have the same bug now. > > > > > > src:cron removed the offending code as part of a security fix in > > > 2018: > > > > > > > https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af > > > > > > This would suggest CVE-2017-9525 also affects src:systemd-cron. > > > > Looks right and confirmed in a quick test. If the attacher has gained > > crontab group then further escalation is possible. > > > > Though technically those two bugs will be resolved at the same step I > > though to be good to separate the escalation issue and the error in > > postinst (but as said, they will be fixed basically together). > > > > Once fixed in unstable, can you please fix the issue as well via > > upcoming point releases for bullseye and buster? Similarly as for the > > src:cron case a DSA is not warranted. > > Alexandre, > > Do you have time to fix this now? If not, would it be okay for the > security team to make an NMU for all affected releases? > > Martin-Éric >