mgetty: CVE-2018-16741

Debian Bug report logs - #910448
mgetty: CVE-2018-16741

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mgetty: CVE-2018-16741

Date: Sat, 06 Oct 2018 15:18:55 +0200

Source: mgetty
Version: 1.1.36-1
Severity: grave
Tags: patch security upstream
Control: fixed -1 1.1.36-3+deb9u1

Hi,

The following vulnerability was published for mgetty.

CVE-2018-16741[0]:
| An issue was discovered in mgetty before 1.2.1. In fax/faxq-helper.c,
| the function do_activate() does not properly sanitize shell
| metacharacters to prevent command injection. It is possible to use the
| ||, &&, or > characters within a file created by the "faxq-helper
| activate <jobid>" command.

The issue was fixed in DSA-4291-1 with 1.1.36-3+deb9u1 but not yet in
unstable and for buster, thus filling an RC bug to avoid the
regression for buster.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16741
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16741

Regards,
Salvatore

Message #12 received at 910448@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 910448@bugs.debian.org

Subject: Re: Bug#910448: mgetty: CVE-2018-16741

Date: Sat, 6 Oct 2018 21:18:43 +0200

Hi,

FTR, I think if feasible best would be to go for unstable (and thus
buster) directly to 1.2.1, which will adress as well the other CVEs
(which were no-dsa or unimportant).

Regards,
Salvatore

Message #17 received at 910448@bugs.debian.org (full text, mbox, reply):

From: Andreas Barth <aba@ayous.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 910448@bugs.debian.org

Subject: Re: Bug#910448: mgetty: CVE-2018-16741

Date: Sat, 6 Oct 2018 21:22:25 +0200

* Salvatore Bonaccorso (carnil@debian.org) [181006 21:21]:
> FTR, I think if feasible best would be to go for unstable (and thus
> buster) directly to 1.2.1, which will adress as well the other CVEs
> (which were no-dsa or unimportant).

That's the plan, yes.


Andi

Message #22 received at 910448-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Barth <aba@ayous.org>

To: 910448-close@bugs.debian.org

Subject: Bug#910448: fixed in mgetty 1.2.1-1

Date: Sat, 03 Nov 2018 16:23:50 +0000

Source: mgetty
Source-Version: 1.2.1-1

We believe that the bug you reported is fixed in the latest version of
mgetty, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 910448@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Barth <aba@ayous.org> (supplier of updated mgetty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 06 Oct 2018 22:17:07 +0200
Source: mgetty
Binary: mgetty mgetty-fax mgetty-viewfax mgetty-voice mgetty-pvftools mgetty-docs
Architecture: source all
Version: 1.2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Andreas Barth <aba@ayous.org>
Changed-By: Andreas Barth <aba@ayous.org>
Description:
 mgetty     - Smart Modem getty replacement
 mgetty-docs - Documentation Package for mgetty
 mgetty-fax - Faxing tools for mgetty
 mgetty-pvftools - Programs for listening and manipulating pvf and rmd files
 mgetty-viewfax - Program for displaying Group-3 Fax files under X
 mgetty-voice - Voicemail handler for mgetty
Closes: 910448
Changes:
 mgetty (1.2.1-1) unstable; urgency=medium
 .
   * Bump upstream version to 1.2.1, amongst others:
     Harden faxq and faxrunq and others, fixes
     CVE-2018-16745, CVE-2018-16744, CVE-2018-16741, CVE-2018-16743, CVE-2018-16742.
     Closes: #910448
Checksums-Sha1:
 089ad42d3ce039bd8f0928943ad4e6a74c1773ec 1456 mgetty_1.2.1-1.dsc
 0c10b1e47101bebefcf01505b4fd537a4f66a2a7 1236903 mgetty_1.2.1-1.tar.gz
 c583cf091f6199ebf99b3ab6ebf42f3930869d97 517244 mgetty-docs_1.2.1-1_all.deb
Checksums-Sha256:
 c0daa01eb52ab56da8ca72dd0394434dac1e69d3d1c9e174adb9dc7305a314c0 1456 mgetty_1.2.1-1.dsc
 72c3ba7671a6534ac67f710199d7a746c22bec60416c9d60583fd0bf7e6ca2fe 1236903 mgetty_1.2.1-1.tar.gz
 49244dbfc7bccc9c512f6e78c8df69b6e096d2d43976d2adfe3a22726aeb81dd 517244 mgetty-docs_1.2.1-1_all.deb
Files:
 013c33bb14fe71846c2e8ff363b5e3a1 1456 comm optional mgetty_1.2.1-1.dsc
 a78bf8b2e264d68369fedb642ac3dd22 1236903 comm optional mgetty_1.2.1-1.tar.gz
 d8fd7bedd8f2f17afe595f2d061435f9 517244 doc optional mgetty-docs_1.2.1-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEwDoy7x/3mxHvqB7o2u/AWm2EZI4FAlvdw8gPHGFiYUBkZWJp
YW4ub3JnAAoJENrvwFpthGSO/d0H/1ATXFnm2vshasVpPY7fSuF1UTT42TK2SsJ6
PVBShw+scdQAOY+0qv3iCPRMHX3nB8Jx8fWZ1Jly1aInCMeyERtFoWES5Btyto+J
uxlKS3YrbcFkFkNmOrI+r6GfZl1N5BXIQWwRGLZyEjFhpMMMQAIzBJjKEUHTVMoz
JzTMgfRZ1+/yT206Z1SAxrCQoJK9f0cGCsjf6R1BVs7MZEoHKFmuxcuKLb+JRd4I
1mdghOQg5o7oy3u0No9xgNLF+IRFWDav+sx06o+wVHGBpC8wnFHpA1W8rzhok8ri
jgjFm741Jz/u+NgkYGD7xcDB+BQheQjdAh4yeQmnKoJD10KGkNI=
=7htZ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.