Hi Tormod,
On Mon, Jun 14, 2021 at 11:43:44PM +0200, Tormod Volden wrote:
> This issue is marked as affecting 5.42+dfsg1-1 in buster (and even
> stretch) in our CVE tracker, however the set_cap action was first
> added in 5.44+dfsg1-1.
>
> https://security-tracker.debian.org/tracker/CVE-2021-3152
This issue is marked as affecting 5.42+dfsg1-1 in buster (and even
stretch) in our CVE tracker, however the set_cap action was first
added in 5.44+dfsg1-1.
https://security-tracker.debian.org/tracker/CVE-2021-31523
Tormod
Hi,
On Sun, Jun 06, 2021 at 12:46:40PM +0200, Andrej Shadura wrote:
> Hi,
>
> On Sun, 6 Jun 2021, at 12:44, Tormod Volden wrote:
> > Hi Salvatore and Andrew,
> >
> > I have prepared a xscreensaver 5.45+dfsg1-2 (which removes the setcap)
> > in git. Andrew is my regular sponsor. Andrew, can you p
Hi,
On Sun, 6 Jun 2021, at 12:44, Tormod Volden wrote:
> Hi Salvatore and Andrew,
>
> I have prepared a xscreensaver 5.45+dfsg1-2 (which removes the setcap)
> in git. Andrew is my regular sponsor. Andrew, can you please upload
> this version? Or if you have no time, can Salvatore do it?
>
> Best
Hi Salvatore and Andrew,
I have prepared a xscreensaver 5.45+dfsg1-2 (which removes the setcap)
in git. Andrew is my regular sponsor. Andrew, can you please upload
this version? Or if you have no time, can Salvatore do it?
Best regards,
Tormod
On Sat, Jun 5, 2021 at 3:08 PM Salvatore Bonaccorso
Hi Tormod,
On Thu, May 06, 2021 at 07:38:34PM +0200, Moritz Mühlenhoff wrote:
> Am Mon, Apr 19, 2021 at 11:42:54AM +0200 schrieb Moritz Muehlenhoff:
> > On Sun, Apr 18, 2021 at 07:21:31PM +0200, Tormod Volden wrote:
> > > Yes, I think dropping the set_cap is the easy way out of here. sonar
> > > w
Am Mon, Apr 19, 2021 at 11:42:54AM +0200 schrieb Moritz Muehlenhoff:
> On Sun, Apr 18, 2021 at 07:21:31PM +0200, Tormod Volden wrote:
> > Yes, I think dropping the set_cap is the easy way out of here. sonar
> > will still be visually pleasing, just not so interesting.
>
> Let's do that for buster/
On Sun, Apr 18, 2021 at 07:21:31PM +0200, Tormod Volden wrote:
> Yes, I think dropping the set_cap is the easy way out of here. sonar
> will still be visually pleasing, just not so interesting.
Let's do that for buster/bullseye? And when xscreensaver gets updated to 6.00
after the release, it can
As I said, it's already fixed in 6.00. The fix is just to configure without
setcap and use setuid instead, which works properly with Mesa.
I assume that having 6.00 distributed by Debian prior to 2035 would be asking
too much, but we dare to dream.
On Sun, Apr 18, 2021 at 7:04 PM Salvatore Bonaccorso wrote:
> Sure I did as I'm on the team alias as well. Given it looks unlikely
> that mesa will fix it (at the moment?) I though/think we should
> probably do something on xscreensaver's side in Debian as well.
>
> Is the sonar screensaver frequen
Hi Tormod,
On Sun, Apr 18, 2021 at 07:04:37PM +0200, Salvatore Bonaccorso wrote:
> Hi Tormod,
>
> [Adding the team@s.d.o to CC as we do not automatically follow
> security tagged bugs]
>
> On Sun, Apr 18, 2021 at 06:57:53PM +0200, Tormod Volden wrote:
> > Indeed, as Jamie points out, the problem
Hi Tormod,
[Adding the team@s.d.o to CC as we do not automatically follow
security tagged bugs]
On Sun, Apr 18, 2021 at 06:57:53PM +0200, Tormod Volden wrote:
> Indeed, as Jamie points out, the problem is in Mesa.
>
> Salvatore, why did you file this against xscreensaver? I thought you
> had fol
Indeed, as Jamie points out, the problem is in Mesa.
Salvatore, why did you file this against xscreensaver? I thought you
had followed the e-mail discussion we had with Tavis?
Tormod
Already fixed in XScreenSaver 6.00.
The bug is in Mesa: it has a panoply of env vars that do what LD_PRELOAD does,
except Mesa only checks geteuid instead of checking getauxval AT_SECURE, as the
kernel does. So anything that uses both Mesa and setcap is vulnerable.
Ironically, using setuid ins
Source: xscreensaver
Version: 5.45+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi
Filling for tracking in the BTS as well. For full public reference
see:
https://www.openwall.com/lists/oss-security/2021/
15 matches
Mail list logo
