Debian Bug report logs -
#991619
util-linux: CVE-2021-37600: Potential integer overflow in ipcutils.c
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, util-linux packagers <util-linux@packages.debian.org>:
Bug#991619; Package src:util-linux.
(Wed, 28 Jul 2021 18:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, util-linux packagers <util-linux@packages.debian.org>.
(Wed, 28 Jul 2021 18:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: util-linux
Version: 2.36.1-7
Severity: important
Tags: security upstream
Forwarded: https://github.com/karelzak/util-linux/issues/1395
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for util-linux.
CVE-2021-37600[0]:
| An integer overflow in util-linux through 2.37.1 can potentially cause
| a buffer overflow if an attacker were able to use system resources in
| a way that leads to a large number in the /proc/sysvipc/sem file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-37600
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37600
[1] https://github.com/karelzak/util-linux/issues/1395
[2] https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Chris Hofstaedtler <zeha@debian.org>:
You have taken responsibility.
(Wed, 28 Jul 2021 19:51:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 28 Jul 2021 19:51:04 GMT) (full text, mbox, link).
Message #10 received at 991619-close@bugs.debian.org (full text, mbox, reply):
Source: util-linux
Source-Version: 2.36.1-8
Done: Chris Hofstaedtler <zeha@debian.org>
We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 991619@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Hofstaedtler <zeha@debian.org> (supplier of updated util-linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 28 Jul 2021 19:09:07 +0000
Source: util-linux
Architecture: source
Version: 2.36.1-8
Distribution: unstable
Urgency: medium
Maintainer: util-linux packagers <util-linux@packages.debian.org>
Changed-By: Chris Hofstaedtler <zeha@debian.org>
Closes: 991619
Changes:
util-linux (2.36.1-8) unstable; urgency=medium
.
* Apply upstream patch for CVE-2021-37600 (Closes: #991619)
Checksums-Sha1:
8e241a3bfecb3f61f9c652bb4b2a3afd5b482ba8 4271 util-linux_2.36.1-8.dsc
1d7994221c08ed26ef88d6432863576d371840b6 98400 util-linux_2.36.1-8.debian.tar.xz
8a50e3e25ebc6afccf5999db7f3a3366f2b244a9 6701 util-linux_2.36.1-8_source.buildinfo
Checksums-Sha256:
ce431fba2d6d1ac8e46f12cd94fe124e666693c92bcf96783beb0dfafe34dc58 4271 util-linux_2.36.1-8.dsc
876304edc7d9cbfacb5615f6205539d8b18fb254c5143243f9c7850cc58b3243 98400 util-linux_2.36.1-8.debian.tar.xz
23bedb6c1dea701a951b8ed2c4a476a04b62968ea2a7cd1bf43f8f5e11f52bad 6701 util-linux_2.36.1-8_source.buildinfo
Files:
52ccb231025ceb695dd6aa57eca59324 4271 base required util-linux_2.36.1-8.dsc
9b5ee8d7a970df30b9be74e21a02ac17 98400 base required util-linux_2.36.1-8.debian.tar.xz
9083246ad5ac472667ca0300d992c690 6701 base required util-linux_2.36.1-8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAmEBriEACgkQXBPW25MF
LgNMHxAAqCGESmJAfi6RNg+6okjr3D7yC0lANMIEG+9+3GFewWIQv1hdwhet/Muo
9X4yh+YzlwsKs63Dkd+jc37dh72O4Wupw2BRE9Aebjs7e+VI40jZz/J5VGIkVeph
3eLtr5BmXoRnnBMnSLMW+FfdVqNiiEV49Oab7+aVj6exbolKGuc5NGK7OelxL6Al
ndZMxJ4SWPXCjlp/d5vQruIHpFK+r4VTQynEOcMCOtGonWB1vOIQ9GDxq4rt/lH2
3SkGS3DliELPDqy8s5WpjMXsNrwb2gX/xGIWlWFc/uXXOpPRQ1cipCwDrN8vVkL1
dMlgWRZyW6b1MuPH3sfXQEtjlDJgvnp44YjAHRekU75LKmTBAb6L8q4xuBZtU7Zd
TwTFeyHNeGynp+zI9RU0mqtVAlzfR7vnspNUVeMJWp7j1ehVtHbcjk0z1Dh4hY12
upitRGLjbcunWdRYKZ+0kiWkwVlkVBO374zV7G76mIDeXOIBNWBXdI8AgsgsVGsC
XyBEexR8oCMklPzO0TivGBCLYgsPaPNNGn+IHydjBMGytSYmnRGd0RC6Xa/ZwiPx
N+qzDJ7ATVM4tBk9wLFICEEwQovO/nxfknYRE+ROnOgmdIbrmjv+Yh4ioKAlUtUA
8fcLTYFXH8UiOgMsVSh4jJIH0k4Cy3Wm9oKBb6flcdMUjPzl3t8=
=5fCQ
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jul 29 16:17:50 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon