Source: pesign Version: 0.112-6 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for pesign. I'm filling it for now still as severity grave, but feel free to downgrade if you do not agree on RC level bug. That said, it needs an unprivileged with access to the pesign user or group. The code has been substantial refactored upstream, and I think the issue i still present in the older versions, where the service is using the pesign-authorize-groups and pesign-authorize-users scripts. CVE-2022-3560[0]: | Local privilege escalation on pesign systemd service If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-3560 https://www.cve.org/CVERecord?id=CVE-2022-3560 [1] https://www.openwall.com/lists/oss-security/2023/01/31/6 [2] https://github.com/rhboot/pesign/commit/d8a8c259994d0278c59b30b41758a8dd0abff998 Regards, Salvatore