Debian Bug report logs -
#906308
CVE-2018-14348
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 16 Aug 2018 21:09:02 UTC
Severity: grave
Tags: security
Fixed in versions libcgroup/0.41-8.1, libcgroup/0.41-8+deb9u1
Done: Markus Koschany <apo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Christian Kastner <ckk@debian.org>:
Bug#906308; Package src:libcgroup.
(Thu, 16 Aug 2018 21:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Christian Kastner <ckk@debian.org>.
(Thu, 16 Aug 2018 21:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libcgroup
Severity: grave
Tags: security
This was assigned CVE-2018-14348:
https://bugzilla.suse.com/show_bug.cgi?id=1100365
(cgred seems to be cgrulesengd in Debian)
Patch:
https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590/
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Christian Kastner <ckk@debian.org>:
Bug#906308; Package src:libcgroup.
(Sun, 19 Aug 2018 21:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Kastner <ckk@debian.org>.
(Sun, 19 Aug 2018 21:36:03 GMT) (full text, mbox, link).
Message #10 received at 906308@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear maintainer,
I've uploaded a new revision versioned as 0.48-8.1 to fix CVE-2018-14348.
Please find attached the debdiff.
Regards,
Markus
[libcgroup.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sun, 19 Aug 2018 21:51:25 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 19 Aug 2018 21:51:26 GMT) (full text, mbox, link).
Message #15 received at 906308-close@bugs.debian.org (full text, mbox, reply):
Source: libcgroup
Source-Version: 0.41-8.1
We believe that the bug you reported is fixed in the latest version of
libcgroup, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 906308@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated libcgroup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 19 Aug 2018 23:10:45 +0200
Source: libcgroup
Binary: cgroup-tools libcgroup1 libcgroup-dev libpam-cgroup cgroup-bin
Architecture: source
Version: 0.41-8.1
Distribution: unstable
Urgency: high
Maintainer: Christian Kastner <ckk@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
cgroup-bin - control and monitor control groups (transitional package)
cgroup-tools - control and monitor control groups (tools)
libcgroup-dev - control and monitor control groups (development)
libcgroup1 - control and monitor control groups (library)
libpam-cgroup - control and monitor control groups (PAM)
Closes: 906308
Changes:
libcgroup (0.41-8.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2018-14348:
It was discovered that the cgrulesengd daemon would create a log file which
would allow any user to write to it. (Closes: #906308)
Checksums-Sha1:
10faeaf81643fe61e77d247d4732106730f99808 2307 libcgroup_0.41-8.1.dsc
938167fdf1c619461ec081457942bc2860845b7e 16624 libcgroup_0.41-8.1.debian.tar.xz
f5a47776c7f2f722abcc79f83eba1b35b94971d8 7714 libcgroup_0.41-8.1_amd64.buildinfo
Checksums-Sha256:
235b9d1af793999747107d57a4227542b3face7076e2b3d3802e3e0eb6c16073 2307 libcgroup_0.41-8.1.dsc
5d7cc170ab02692b94bb080428cf92d360187777614584e3786a2e83af4abe12 16624 libcgroup_0.41-8.1.debian.tar.xz
93663d2f144d32f447ef2eee0e67a55df67dabf5d8a684662c08876570d14668 7714 libcgroup_0.41-8.1_amd64.buildinfo
Files:
ea85b13472360ea0d44c4df58056692e 2307 libs optional libcgroup_0.41-8.1.dsc
49de12c66bdf1c8ecacd398f849e6e8d 16624 libs optional libcgroup_0.41-8.1.debian.tar.xz
07ff91267c9ec3abc0d1de3623ad1b17 7714 libs optional libcgroup_0.41-8.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlt54aVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkZwkQALRx+hrvRVe5aaRV7Pb+sjcmcB/1xdMHruio
YkD6WQalwc/URUs83YOVg5nRz6lbW3Xvx61KujWG/swryWKEWcw8LBMWptS4rynC
UbwzPTB0FKYMZlxZ06KXbijJD2a8KJlsi4GEfn4n3pkBggxGauerX/ROb5Yj579M
SAWPSM7uiL3unyFxKNoDIt0thZHDRXzsw/p//Qfai3mWwUeSJoFI28LWskrtmED8
OZyNnZHmkVZOuJaiYcBTt/8nUA+iDemSGvFtaMFCI0P4/4OIfFOLM/XxKgWn1nS5
C6cZmETJZEg8KRyGIitrqj/jqvOyOclmXXESzTQh91eNvHF4yoN9V+PEUw/EuJhQ
TSk6hTlJiCMdYAWY9q4kOYPIvGcW9h8h9yeMA2CL5a+PJes0Z+dzyOZmKUpOleSU
nPdAJW46P7lTUtxPzCJBRq4M5bgpCRYjkg0+k75VLiBVzlPsbym2Jf8LU3YTZTqP
JC30OYIqlfP2Rtle8r2UNFAuwUIkYxzlZSxdiLUWvvQMm5wbJ06YoBAPU2LAE6Wq
W/qv7MnaC79NGpMC0ZRun8+mAHCVSQvGv2fGA41rYmZ4vIirqyJzUJFemTxBbOjT
JkhBKnydQIipsY/rkF/SIcNkOv1eRUDyuLktS//xm4ffcjCvfA2xT+T8z/bZABbr
+FH6v/aN
=fSG+
-----END PGP SIGNATURE-----
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sun, 02 Sep 2018 20:51:12 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 02 Sep 2018 20:51:12 GMT) (full text, mbox, link).
Message #20 received at 906308-close@bugs.debian.org (full text, mbox, reply):
Source: libcgroup
Source-Version: 0.41-8+deb9u1
We believe that the bug you reported is fixed in the latest version of
libcgroup, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 906308@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated libcgroup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 19 Aug 2018 23:10:45 +0200
Source: libcgroup
Binary: cgroup-tools libcgroup1 libcgroup-dev libpam-cgroup cgroup-bin
Architecture: source all amd64
Version: 0.41-8+deb9u1
Distribution: stretch
Urgency: high
Maintainer: Christian Kastner <ckk@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
cgroup-bin - control and monitor control groups (transitional package)
cgroup-tools - control and monitor control groups (tools)
libcgroup-dev - control and monitor control groups (development)
libcgroup1 - control and monitor control groups (library)
libpam-cgroup - control and monitor control groups (PAM)
Closes: 906308
Changes:
libcgroup (0.41-8+deb9u1) stretch; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2018-14348:
The cgrulesengd daemon in libcgroup creates log files with world readable
and writable permissions due to a reset of the file mode creation mask
(umask(0)). (Closes: #906308)
Checksums-Sha1:
14b2867b089e4fce9d3b6daaf87b238101ba15cd 2327 libcgroup_0.41-8+deb9u1.dsc
20161d5e0c4b83dbf0e9768f67f8be4395ed47dd 16672 libcgroup_0.41-8+deb9u1.debian.tar.xz
97574b51adfa64545033f9d5ea07d3c1d9ed36ec 6838 cgroup-bin_0.41-8+deb9u1_all.deb
83f4eece8c32b018f5f706d9ae91495a80247107 150892 cgroup-tools-dbgsym_0.41-8+deb9u1_amd64.deb
52ee10bb4daf36c698b3feae014a7764ca0fe1a5 68916 cgroup-tools_0.41-8+deb9u1_amd64.deb
aaafd1c522d7fd463b20899adc3a71bf000457e1 20186 libcgroup-dev_0.41-8+deb9u1_amd64.deb
e40ef9754cce7b4b6e27be7bd0543ecd8129ca6e 91470 libcgroup1-dbgsym_0.41-8+deb9u1_amd64.deb
5bdd25ab9bf2d53389a9925a2e6cf28089807ec1 44784 libcgroup1_0.41-8+deb9u1_amd64.deb
39758bb1ba12995a955a9983c7c3849c8e684ae2 8034 libcgroup_0.41-8+deb9u1_amd64.buildinfo
5e969153c33edf83723338838d933184ee82280e 4936 libpam-cgroup-dbgsym_0.41-8+deb9u1_amd64.deb
28237c56292c47042512b88b908cba90b571d6ce 9150 libpam-cgroup_0.41-8+deb9u1_amd64.deb
Checksums-Sha256:
b4796e907c4fa5b4b64f700cc6ad1875bd600227ec95f37cfb8c55d69ee17377 2327 libcgroup_0.41-8+deb9u1.dsc
c426122003b2e492e30a2f4dd6df6f81aa718f326b4a0866de9af272fc2822b1 16672 libcgroup_0.41-8+deb9u1.debian.tar.xz
2c1a4fea0563e20d532ffa0c73bfb42e0924c5feb01616b7da59a5ab8f97da92 6838 cgroup-bin_0.41-8+deb9u1_all.deb
4a4d92c1d0f48b3d3ec2094fb3a3ba1709c9aa379bf9f40bda8cdae5fffad74c 150892 cgroup-tools-dbgsym_0.41-8+deb9u1_amd64.deb
3ec68d335d5dea2044ef063478cac6f588f1b4bfe9ce760b696245d621d41748 68916 cgroup-tools_0.41-8+deb9u1_amd64.deb
98129fc899974999c3d64b1a1cee2e7b0206f68cd372611b4c2c8be34102e710 20186 libcgroup-dev_0.41-8+deb9u1_amd64.deb
0388031b60dbd2333bc2ef6c0acad1b1977211ef53877a3ed9b24f70b8474ac5 91470 libcgroup1-dbgsym_0.41-8+deb9u1_amd64.deb
9ebf7a353a27f3f865f8baf2eafc27c2ceb7dd704f9cfa59e202a57f168362b8 44784 libcgroup1_0.41-8+deb9u1_amd64.deb
adf6ebfa1e156143e6b77f9e5651924cc3c3bf1c83d5c78997f281bd65fb91cb 8034 libcgroup_0.41-8+deb9u1_amd64.buildinfo
807690bcf816e79d0e83126ecba51d93ede33eb0fbb4af5ce5b42065e714f88c 4936 libpam-cgroup-dbgsym_0.41-8+deb9u1_amd64.deb
8d703b81de31095017570047e2f5b098c1c6aec9bb2084f267df62dd80d1c327 9150 libpam-cgroup_0.41-8+deb9u1_amd64.deb
Files:
d425ea8010b647c953ee012723b80877 2327 libs optional libcgroup_0.41-8+deb9u1.dsc
1bad78ce99cd596d6acf1ba4a798983d 16672 libs optional libcgroup_0.41-8+deb9u1.debian.tar.xz
624064093539e943e608f10fb5687cf8 6838 oldlibs extra cgroup-bin_0.41-8+deb9u1_all.deb
068b5cc76b302c903ed12efb519a9155 150892 debug extra cgroup-tools-dbgsym_0.41-8+deb9u1_amd64.deb
c25c42f6b80d756f0cf00503f78a8db3 68916 admin optional cgroup-tools_0.41-8+deb9u1_amd64.deb
463bba42d9a7a1728da883f9c6a79b3a 20186 libdevel optional libcgroup-dev_0.41-8+deb9u1_amd64.deb
b86a69b2a0eb3c24897ff8b1882e7add 91470 debug extra libcgroup1-dbgsym_0.41-8+deb9u1_amd64.deb
2270bb0e9aa360f09a91e287b88d6b18 44784 libs optional libcgroup1_0.41-8+deb9u1_amd64.deb
a544293e63ffc96ca7c24c31138b68e7 8034 libs optional libcgroup_0.41-8+deb9u1_amd64.buildinfo
b4ab5f36ebfeacb7f2c104e1144e86f5 4936 debug extra libpam-cgroup-dbgsym_0.41-8+deb9u1_amd64.deb
7c703c0cd7bea3ef11c5ccfa1a192e22 9150 admin optional libpam-cgroup_0.41-8+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAluD0SlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkTXIQAKfMPyKeLdmWOwBrzWzAxCAn54CPgcySVFy3
Dn0EFcyW21eIrRpbaoCOrZ5j/A+Y6A0kFKbm/ZJs2AbYob546Dj9HUHZTW1zTt2F
ZzXikPS6MQ+j7YWyzJcz30BoGbPnOBj27DvG4APWUGb+/UxIPlaxYo0OTa5OEEH7
wlVS5dhpf2GouDkbCC5G6mO8WxvT2RbB7gL+HFFLCP6I3jLRRN6BKmHoe/z+xrfC
PpkBtxj4rZvwGj75Sru5FTDtLJo/toYoSk1oX/VHnAyoJsF+u/E8epAozUmVy/fG
Gsd84Cb+FFFWRiCVcXizM7MvZZcAimRO4aP/BubX5MIUhJX4LQBLHB2/Z9CY/Fu6
FEmlUd3FxbjBGIjKoqxRvO1CXZ28y/9beDa5b6+lJ+I8QsFfVqSOfcd3OU8zXMiN
sRzIb5QHft1OVL9A7DDzo3sgAKmp/MJ31sorSnAjkEmULEHWodyY5j3y7RyeWi7G
atZuQg2IAtj01Hy/VVyQAiY931UE2ZDJO7+HIKvw41QxeIm13JcBARtd6zssO0Gv
1g1jiaUtFT4BtRHKfoRUf/IU/Jjk6bSA+pVtA8w8d7EjqCrbCvdmCO/A3M9TAtAW
Q7yhfXJAV3+HSHMS2KPHTWq3xAoqxfj6kZUzJv20tt36FkReQkcl1zqVNwOSTDbU
SHpzi7WX
=f1Hf
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Nov 2018 07:26:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:22:56 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon