Your message dated Fri, 11 Jan 2019 12:53:11 +0000
with message-id <e1ghwjd-0003mt...@fasolo.debian.org>
and subject line Bug#918956: fixed in tmpreaper 1.6.14
has caused the Debian Bug report #918956,
regarding tmpreaper: CVE-2019-3461
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
918956: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: tmpreaper
Version: 1.6.13+nmu1
Severity: grave
Tags: security
Control: fixed -1 1.6.13+nmu1+deb9u1
Hi,
The following vulnerability was published for tmpreaper, as per DSA
4365-1.
CVE-2019-3461[0]:
Stephen Roettger discovered a race condition in tmpreaper, a program that
cleans up files in directories based on their age, which could result in
local privilege escalation.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tmpreaper
Source-Version: 1.6.14
We believe that the bug you reported is fixed in the latest version of
tmpreaper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 918...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Slootman <p...@debian.org> (supplier of updated tmpreaper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 11 Jan 2019 13:27:15 +0100
Source: tmpreaper
Binary: tmpreaper
Architecture: source amd64
Version: 1.6.14
Distribution: unstable
Urgency: medium
Maintainer: Paul Slootman <p...@debian.org>
Changed-By: Paul Slootman <p...@debian.org>
Description:
tmpreaper - cleans up files in directories based on their age
Closes: 918956
Changes:
tmpreaper (1.6.14) unstable; urgency=medium
.
* Upload to unstable to fix the race condition described in CVE-2019-3461:
There was a race condition when tmpreaper was testing for a (bind) mount,
which was done via rename() which could potentially lead to a file being
placed elsewhere on the filesystem hierarchy (e.g. /etc/cron.d/) if the
directory being cleaned up was on the same physical filesystem.
This has been fixed by using an alternative way of looking for bind mounts
using code from mountpoint (from the util-linux package).
closes: #918956
Checksums-Sha1:
0b05ef2ad749d2d4cafbcfb36206b2bf8a89a7fa 1437 tmpreaper_1.6.14.dsc
8965085694add283c6baca6c15e237012a4ed3c5 158981 tmpreaper_1.6.14.tar.gz
47417e78521836aa12b7604753f58135d1385a0d 12888
tmpreaper-dbgsym_1.6.14_amd64.deb
e3f9b10ccab29600959f81d154dc99743f764762 6011 tmpreaper_1.6.14_amd64.buildinfo
c1c06e052e971cea855d45038bc122763b869d12 47432 tmpreaper_1.6.14_amd64.deb
Checksums-Sha256:
595b8535fc29b9e2b62e1c01496d2868efbd6cf2450e7d9b38ca60deebe2884c 1437
tmpreaper_1.6.14.dsc
4acb93745ceb8b8c5941313bbba78ceb2af0c3914f1afea0e0ae1f7950d6bdae 158981
tmpreaper_1.6.14.tar.gz
7c8cba09a9c6f109a663860ba10dad408178eb328be2c63190daefb8eb83ba55 12888
tmpreaper-dbgsym_1.6.14_amd64.deb
fef0f239f75cb9b6af5ea6abb490c4e99a62b78427c80fcda339091e88b0cb05 6011
tmpreaper_1.6.14_amd64.buildinfo
97acf216bbe125426ceed4db1fcf65d1fdc10c732068a0bea91348c2e05e86f6 47432
tmpreaper_1.6.14_amd64.deb
Files:
5c66a8dd6c5280afaecfa2bfbd169dd2 1437 admin optional tmpreaper_1.6.14.dsc
a534f2457439fb569a6f62958e653082 158981 admin optional tmpreaper_1.6.14.tar.gz
a6110a113b7bf829f95a53db6ed71f65 12888 debug optional
tmpreaper-dbgsym_1.6.14_amd64.deb
4198f3976462f848ee4529c344cff83c 6011 admin optional
tmpreaper_1.6.14_amd64.buildinfo
890ebe5dc6295e1c8764a4d9ffa521a8 47432 admin optional
tmpreaper_1.6.14_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEyfNP08AZcbxb9VhpMveNzq0RO4sFAlw4jAgACgkQMveNzq0R
O4tUEA//eJxwfdgkVa11tEhPuAHeCCgqU+OREr2FXIebvkmbK/69ve8zN6+uB1Os
zSyou34zmm6GZABMnNs5mwiD578jNL49zej+uWT0vlU7iotJheQmGK98rEnl6i0C
vP/9K6qMfLXHM/X2q5930rstFx5/SnjrqQFnxskhotDREAuSQPQJbEcRP/krAZD+
HMBGPGfkyJixBSAaKZIjpXwW/vS3VPvoz3vbCGB+1zCK+0aPw+picZNLZ82NEV5c
sgbI+jVK+iFXX3OxDfFoevP8UK4TUegx/xLheJDuDr/AUn98l8W0l941T7TvuuLo
QKJeyK3+LmaBasfZFVwhP+8rnfGxL1EvJOzraZBrGOMoocy/pfDS95roEzQGBN/D
CtH1yiRO7+2Bzz3xB1hVyscINCWqBYewhjhhE6HgxV0pq40s3bUjlnZkeoLhC8nj
XR2MazvYVe+C5CiHT267nzaaC2aUSqZYoz9smsYYcdUTUhEYoQ1gxTJ9wHeV5X0e
dC7KQDC3WIPiOxzrHFroC60AhUkxk8iYj2niJLCmtHs7weDFTP4B14kaGk2UwgmR
4GXW28T35eWVFDusHd4T5+x3gv1jUN1io+AxvoUZwce7RwPlbiInGiiB5adYPJ2X
kSbIR9XAeR8jlciW/UcyabRZ/jMuicIJvPQ1bnFKAdaRxUXJHfE=
=MiKu
-----END PGP SIGNATURE-----
--- End Message ---