[Dx-packages] [Bug 1974250] Re: ~/.pam_environment gets created as owned by root
On 2022-05-20 16:54, Marc Deslauriers wrote: > Or remove those scripts from Debian completely...looks like they > were added because of https://bugs.debian.org/cgi- > bin/bugreport.cgi?bug=756259 , but muon doesn't seem to use them > anymore... FTR I removed 0009-language-tools.patch from Debian. https://salsa.debian.org/freedesktop- team/accountsservice/-/commit/294910b8 Let's see if somebody complains.. Hopefully not. -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1974250 Title: ~/.pam_environment gets created as owned by root Status in accountsservice package in Ubuntu: Fix Released Status in accountsservice source package in Jammy: Fix Released Status in accountsservice source package in Kinetic: Fix Released Bug description: Something has happened lately with accountsservice, which makes it act as root instead of the current user when creating ~/.pam_environment. The very old bug #904395 comes to mind, and this smells a security issue. The function which is supposed to prevent this behavior is here: https://salsa.debian.org/freedesktop- team/accountsservice/-/blob/ubuntu/debian/patches/0010-set- language.patch#L75 Haven't investigated further yet. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/1974250/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1974250] Re: ~/.pam_environment gets created as owned by root
This bug was fixed in the package accountsservice - 22.07.5-2ubuntu2 --- accountsservice (22.07.5-2ubuntu2) kinetic; urgency=medium [ Marc Deslauriers ] * SECURITY UPDATE: accountsservice incorrect privilege dropping (LP: #1974250) - debian/patches/0009-language-tools.patch: updated to not reset effective uid, and migrate root-owned .pam_environment file. - This change was originally known as CVE-2020-16126 and got reverted by mistake in 0.6.55-3ubuntu1. - CVE-2022-1804 * Fix FTBFS with a newer python-dbusmock package: - debian/patches/adduser_invocation.patch: fix invocation of AddUser in tests/dbusmock/accounts_service.py. - debian/patches/setlocked_signature.patch: fix the signature for the SetLocked call in tests/dbusmock/accounts_service.py. -- Gunnar Hjalmarsson Tue, 24 May 2022 19:53:07 +0200 ** Changed in: accountsservice (Ubuntu Kinetic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1974250 Title: ~/.pam_environment gets created as owned by root Status in accountsservice package in Ubuntu: Fix Released Status in accountsservice source package in Jammy: Fix Released Status in accountsservice source package in Kinetic: Fix Released Bug description: Something has happened lately with accountsservice, which makes it act as root instead of the current user when creating ~/.pam_environment. The very old bug #904395 comes to mind, and this smells a security issue. The function which is supposed to prevent this behavior is here: https://salsa.debian.org/freedesktop- team/accountsservice/-/blob/ubuntu/debian/patches/0010-set- language.patch#L75 Haven't investigated further yet. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/1974250/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1974250] Re: ~/.pam_environment gets created as owned by root
** Changed in: accountsservice (Ubuntu Kinetic) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1974250 Title: ~/.pam_environment gets created as owned by root Status in accountsservice package in Ubuntu: Fix Committed Status in accountsservice source package in Jammy: Fix Released Status in accountsservice source package in Kinetic: Fix Committed Bug description: Something has happened lately with accountsservice, which makes it act as root instead of the current user when creating ~/.pam_environment. The very old bug #904395 comes to mind, and this smells a security issue. The function which is supposed to prevent this behavior is here: https://salsa.debian.org/freedesktop- team/accountsservice/-/blob/ubuntu/debian/patches/0010-set- language.patch#L75 Haven't investigated further yet. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/1974250/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1974250] Re: ~/.pam_environment gets created as owned by root
** Tags added: patch -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1974250 Title: ~/.pam_environment gets created as owned by root Status in accountsservice package in Ubuntu: Confirmed Status in accountsservice source package in Jammy: Fix Released Status in accountsservice source package in Kinetic: Confirmed Bug description: Something has happened lately with accountsservice, which makes it act as root instead of the current user when creating ~/.pam_environment. The very old bug #904395 comes to mind, and this smells a security issue. The function which is supposed to prevent this behavior is here: https://salsa.debian.org/freedesktop- team/accountsservice/-/blob/ubuntu/debian/patches/0010-set- language.patch#L75 Haven't investigated further yet. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/1974250/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1974250] Re: ~/.pam_environment gets created as owned by root
** Information type changed from Private Security to Public Security ** Also affects: accountsservice (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: accountsservice (Ubuntu Kinetic) Importance: High Status: Fix Released ** Changed in: accountsservice (Ubuntu Jammy) Status: New => Fix Released ** Changed in: accountsservice (Ubuntu Kinetic) Status: Fix Released => Confirmed -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1974250 Title: ~/.pam_environment gets created as owned by root Status in accountsservice package in Ubuntu: Confirmed Status in accountsservice source package in Jammy: Fix Released Status in accountsservice source package in Kinetic: Confirmed Bug description: Something has happened lately with accountsservice, which makes it act as root instead of the current user when creating ~/.pam_environment. The very old bug #904395 comes to mind, and this smells a security issue. The function which is supposed to prevent this behavior is here: https://salsa.debian.org/freedesktop- team/accountsservice/-/blob/ubuntu/debian/patches/0010-set- language.patch#L75 Haven't investigated further yet. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/1974250/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp