Debian Bug report logs -
#928732
CVE-2019-11460
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#928732; Package src:gnome-desktop3.
(Thu, 09 May 2019 20:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Thu, 09 May 2019 20:39:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gnome-desktop3
Severity: important
Tags: security
This was assigned CVE-2019-11460:
https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112
Cheers,
Moritz
Marked as found in versions gnome-desktop3/3.30.2.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 09 May 2019 21:03:08 GMT) (full text, mbox, link).
Marked as found in versions gnome-desktop3/3.32.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 09 May 2019 21:03:10 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 09 May 2019 21:09:05 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 16 May 2019 19:30:14 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#928732.
(Mon, 03 Jun 2019 22:24:03 GMT) (full text, mbox, link).
Message #18 received at 928732-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #928732 in gnome-desktop3 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/gnome-team/gnome-desktop/commit/f21f567e427897f89a7eff10dbbce81bd7459f29
------------------------------------------------------------------------
Fix CVE-2019-11460
Import the only non-build-system change from upstream release 3.30.2.3
to fix incomplete TIOCSTI ioctl filtering, which could be a vector for
privilege escalation if a thumbnailer with a security vulnerability is run
on a crafted malicious image by a program that uses libgnome-desktop and
was run from an interactive terminal.
Closes: #928732
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/928732
Added tag(s) pending.
Request was from Simon McVittie <noreply@salsa.debian.org>
to 928732-submitter@bugs.debian.org.
(Mon, 03 Jun 2019 22:24:03 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Mon, 03 Jun 2019 22:39:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 03 Jun 2019 22:39:03 GMT) (full text, mbox, link).
Message #25 received at 928732-done@bugs.debian.org (full text, mbox, reply):
Version: 3.32.1-1
On Thu, 09 May 2019 at 22:34:53 +0200, Moritz Muehlenhoff wrote:
> This was assigned CVE-2019-11460:
> https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112
This was fixed in 3.32.1, so I believe the bug is already not present
in experimental:
$ git grep TIOCSTI
libgnome-desktop/gnome-desktop-thumbnail-script.c: {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)},
I'm preparing a backport of the upstream commit to 3.30.x for buster.
(It was in 3.30.2.3, but that version has a lot of Autotools noise
for a one-line change, so it doesn't seem worth following upstream
3.30.x releases unless/until there's a larger important fix.)
On Thu, 09 May 2019 at 23:00:41 +0200, Salvatore Bonaccorso wrote:
> found 928732 3.32.1-1
... or please reopen if you have information to the contrary?
Thanks,
smcv
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#928732; Package src:gnome-desktop3.
(Tue, 04 Jun 2019 04:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Tue, 04 Jun 2019 04:21:05 GMT) (full text, mbox, link).
Message #30 received at 928732@bugs.debian.org (full text, mbox, reply):
Hi Simon,
On Mon, Jun 03, 2019 at 11:34:36PM +0100, Simon McVittie wrote:
> Version: 3.32.1-1
>
> On Thu, 09 May 2019 at 22:34:53 +0200, Moritz Muehlenhoff wrote:
> > This was assigned CVE-2019-11460:
> > https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112
>
> This was fixed in 3.32.1, so I believe the bug is already not present
> in experimental:
>
> $ git grep TIOCSTI
> libgnome-desktop/gnome-desktop-thumbnail-script.c: {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)},
>
> I'm preparing a backport of the upstream commit to 3.30.x for buster.
> (It was in 3.30.2.3, but that version has a lot of Autotools noise
> for a one-line change, so it doesn't seem worth following upstream
> 3.30.x releases unless/until there's a larger important fix.)
>
> On Thu, 09 May 2019 at 23:00:41 +0200, Salvatore Bonaccorso wrote:
> > found 928732 3.32.1-1
>
> ... or please reopen if you have information to the contrary?
Hmm, but not I think this was not in 3.32.*1*-1. #112 is fixed by
e3dca7d49bf179f98ac114cad9f4d4889f75d90c which was included in 3.33.1.
The fix went as well upstream in 3.32.1.1 and in 3.32.*2*. So I think
found 3.32.1-1 was actually correct, bug it's fixed in the current
version in experimental as 3.32.2-1.
I checked as well by fetching 3.32.1-1 explicitly from snapshots.
Regards,
Salvatore
No longer marked as fixed in versions 3.32.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 04 Jun 2019 04:24:03 GMT) (full text, mbox, link).
Marked as fixed in versions gnome-desktop3/3.32.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 04 Jun 2019 04:24:04 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#928732.
(Tue, 04 Jun 2019 04:24:05 GMT) (full text, mbox, link).
Message #37 received at 928732-submitter@bugs.debian.org (full text, mbox, reply):
notfixed 928732 3.32.1-1
close 928732 3.32.2-1
thanks
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#928732; Package src:gnome-desktop3.
(Tue, 04 Jun 2019 07:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Tue, 04 Jun 2019 07:00:03 GMT) (full text, mbox, link).
Message #42 received at 928732@bugs.debian.org (full text, mbox, reply):
Control: found 928732 3.32.1-1
Control: fixed 928732 3.32.2-1
On Tue, 04 Jun 2019 at 06:19:43 +0200, Salvatore Bonaccorso wrote:
> Hmm, but not I think this was not in 3.32.*1*-1. #112 is fixed by
> e3dca7d49bf179f98ac114cad9f4d4889f75d90c which was included in 3.33.1.
> The fix went as well upstream in 3.32.1.1 and in 3.32.*2*. So I think
> found 3.32.1-1 was actually correct, bug it's fixed in the current
> version in experimental as 3.32.2-1.
Ah, sorry, I was mixing up 3.32.1-1 with 3.32.1.1 (which was never
in Debian, so 3.32.2-1 is the first fixed version on that branch).
Thanks for checking.
smcv
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Tue, 04 Jun 2019 09:06:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Tue, 04 Jun 2019 09:06:04 GMT) (full text, mbox, link).
Message #47 received at 928732-close@bugs.debian.org (full text, mbox, reply):
Source: gnome-desktop3
Source-Version: 3.30.2.1-2
We believe that the bug you reported is fixed in the latest version of
gnome-desktop3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928732@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated gnome-desktop3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 03 Jun 2019 23:16:42 +0100
Source: gnome-desktop3
Architecture: source
Version: 3.30.2.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 928732
Changes:
gnome-desktop3 (3.30.2.1-2) unstable; urgency=medium
.
* Team upload
* d/gbp.conf: Configure branches for Debian buster and GNOME 3.30.x
* d/watch: Only watch for 3.30.x versions
* d/p/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch:
Import the only non-build-system change from upstream release 3.30.2.3
to fix incomplete TIOCSTI ioctl filtering, which could be a vector for
privilege escalation if a thumbnailer with a security vulnerability is
run on a crafted malicious image by a program that uses libgnome-desktop
and was run from an interactive terminal.
(Closes: #928732, CVE-2019-11460)
Checksums-Sha1:
cd11a01210ec26d2c92a44046fbf5b84652c3b45 2737 gnome-desktop3_3.30.2.1-2.dsc
2b305432a8083c995a6a3ab90ba238845aeb3dd2 23044 gnome-desktop3_3.30.2.1-2.debian.tar.xz
8534db8489941ad1978f55f006930e997d9fd627 15615 gnome-desktop3_3.30.2.1-2_source.buildinfo
Checksums-Sha256:
f4475f97708c8ce90facaffeb0682a28a3094ad4f6f9d0fbb0ef610637de4477 2737 gnome-desktop3_3.30.2.1-2.dsc
54326165ffd58f249af669686b2e29ccccbe8ff57206258ba4a7d8de212b7d7a 23044 gnome-desktop3_3.30.2.1-2.debian.tar.xz
814ef2c847ed1790ad2e8605c98fee11256812320b9b99364098a7c94baeba25 15615 gnome-desktop3_3.30.2.1-2_source.buildinfo
Files:
39742e039dc73924d6cbd8ab65a77de4 2737 gnome optional gnome-desktop3_3.30.2.1-2.dsc
0ad79c36d8c5f4e4de156e96394c0bba 23044 gnome optional gnome-desktop3_3.30.2.1-2.debian.tar.xz
eebe2c8805ed63156b51310246624295 15615 gnome optional gnome-desktop3_3.30.2.1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlz2LwcACgkQ4FrhR4+B
TE98FxAAk0V3vIDPRZPpTPveAqL5QqVE9NIiUNzLiEbxvf41qg8zXDnm0xpZ/1EX
shDutC/qqz0lZpndG5RadEqHxBjmK2M/muKNnyyzoPYXbxvYcuFg91JHNMbfVu9I
vqynMQGncSQn6Cku/R7sr3NULsG1oIecZGAf4avCDe5/HwuSE4K/TAXaQWACGox6
0YB40IqlkXJcqBRCTsIKhRPeXG5XF1tfUZlhS6lS6i/D2oevv7gLXwDaZVfeQ/sM
FCtZb6Men3jXOAu+/Mjq7rSHJE+vOtO0F1kcWLACSIEuhmG6Hl6i89EhAKNyR8Pc
NW+d2EPCDaM3HXAUODUr8cfLIC7wHav+MGhfNXLdHuvVrouz86eR2UX1IDeVzpdV
9JWrAOBRWxPzb+wacW+dj0WUV8i9J/V3yKRB2lS/f1ZDXS5Ilr6yRSHckeAXjYLW
0EFH+MyGgAOrLdXws2zMceXb91x2+MBs8Ynq6j58u3bxHrVVVyO3WDRWzK1BZMEJ
uO3UcP3vwtDrx6i2Q6BODolXdX9wZdULTbfupfG1o0/7zD/m5RwN8HC8ODYiieFS
nK+OnHcAAlwdmtnKjvJ6Aj63cbYrozRgUnudk/Hm9n1oPq2vYxAtiVXG1HNxYuMY
nliGuUGi4tj+GItmsJPvP8nPb6lEvYzEHn3GF7UqcfRaLu9Jydg=
=cTOc
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:53:54 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon