On 6/27/25 22:05, Salvatore Bonaccorso wrote:
Source: ceph
Version: 18.2.7-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ceph.
CVE-2025-52555[0]:
| Ceph is a distributed object, block, and file storage platform. In
| versions 17.2.7, 18.2.1 through 18.2.4, and 19.0.0 through 19.2.2,
| an unprivileged user can escalate to root privileges in a ceph-fuse
| mounted CephFS by chmod 777 a directory owned by root to gain
| access. The result of this is that a user could read, write and
| execute to any directory owned by root as long as they chmod 777 it.
| This impacts confidentiality, integrity, and availability. It is
| patched in versions 17.2.8, 18.2.5, and 19.2.3.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-52555
https://www.cve.org/CVERecord?id=CVE-2025-52555
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2374412
[2] https://www.openwall.com/lists/oss-security/2025/06/26/1
[3] https://github.com/ceph/ceph/pull/60314
[4] https://github.com/ceph/ceph/security/advisories/GHSA-89hm-qq33-2fjm
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Hi Salvatore,
FYI, the version 18.2.7-2 currently in unstable & testing isn't
affected, as it already contains the patch (I just checked). Please
adjust the security tracker accordingly.
Cheers,
Thomas Goirand (zigo)
