Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

rtkit: CVE-2013-4326

Related Vulnerabilities: CVE-2013-4326  

Source

Debian Bug report logs - #723714
rtkit: CVE-2013-4326

version graph

Package: rtkit; Maintainer for rtkit is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for rtkit is src:rtkit (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 19 Sep 2013 05:51:01 UTC

Severity: grave

Tags: security

Fixed in versions rtkit/0.10-3, rtkit/0.10-2+wheezy1

Done: Alessio Treglia <alessio@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#723714; Package rtkit. (Thu, 19 Sep 2013 05:51:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Thu, 19 Sep 2013 05:51:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rtkit: CVE-2013-4326
Date: Thu, 19 Sep 2013 07:44:33 +0200
Package: rtkit
Severity: grave
Tags: security
Justification: user security hole

Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4326 for details
and a patch.

Cheers,
        Moritz

Reply sent to Alessio Treglia <alessio@debian.org>:
You have taken responsibility. (Thu, 19 Sep 2013 09:51:09 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Thu, 19 Sep 2013 09:51:10 GMT) (full text, mbox, link).

Message #10 received at 723714-close@bugs.debian.org (full text, mbox, reply):

From: Alessio Treglia <alessio@debian.org>
To: 723714-close@bugs.debian.org
Subject: Bug#723714: fixed in rtkit 0.10-3
Date: Thu, 19 Sep 2013 09:49:21 +0000
Source: rtkit
Source-Version: 0.10-3

We believe that the bug you reported is fixed in the latest version of
rtkit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessio Treglia <alessio@debian.org> (supplier of updated rtkit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 19 Sep 2013 09:30:47 +0100
Source: rtkit
Binary: rtkit
Architecture: source amd64
Version: 0.10-3
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Alessio Treglia <alessio@debian.org>
Description: 
 rtkit      - Realtime Policy and Watchdog Daemon
Closes: 657351 723714
Changes: 
 rtkit (0.10-3) unstable; urgency=high
 .
   * Update debian/copyright.
   * Add dbus, policykit-1 on Recommends. (Closes: #657351)
   * Fix CVE-2013-4326 (Closes: #723714)
Checksums-Sha1: 
 0d3ec3116cb414d29d845d5879703b2fea4ade96 1998 rtkit_0.10-3.dsc
 884ef1d2faba78e87d11f899563f1a24d5d62772 4648 rtkit_0.10-3.debian.tar.gz
 725d47fa893bc8535b6fcbd3ae22bb9912eb391a 29512 rtkit_0.10-3_amd64.deb
Checksums-Sha256: 
 232bbd5400bbd2bc237d8b23a5ebfb223a9d4aaf79215901ac4c3e882d910082 1998 rtkit_0.10-3.dsc
 33b84e5e172eb680c402728826ef7c191836193995daa44dc491ab3e56ba8e3d 4648 rtkit_0.10-3.debian.tar.gz
 d406440b51ead89266948295ad0e80badf4400e18f3785c96c43e70fc9cc1f6c 29512 rtkit_0.10-3_amd64.deb
Files: 
 5ff3df4bd6cd87137fab81f4c9e05d0d 1998 admin optional rtkit_0.10-3.dsc
 fda1fd84a5bedb21e9802ef86e4a08dc 4648 admin optional rtkit_0.10-3.debian.tar.gz
 d55bda47f06510ae267656280bbfdb1a 29512 admin optional rtkit_0.10-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJSOsLEAAoJEOikiuUxHXZatjsQAIQ45M2oM84G9oLkZ/592luA
XJcJS0sJChAYoS1xwgtxDvfyDJP94F+lOICSmv6pjrKl/gVXQiK7QFTQGDEHDO1O
/Q36ceUnBsUSedAnGqaDNfMCq+Y23J3tq1RTuc70lQgqnlO5VE2jNzXx1/sBk59e
98sqPVPDTxFyYWp+0m9kprAIyJjSFsFwQuKwHnTLOrkAqTuEKxAoOJJ2SY1KYqlz
ENBX4Ry6grJ79jSB/PqfEIZaFxRwMZmtEKaMuzhpQWc2WwxHHd0f9vV6wsGGacSo
e+DwL4pWSS7oY+23yMgw+OrTiUs98Mu5na6Y0K7Om/AyYXxsIM+CxyLIUJ2zRLQ5
etZxjTtV50w9wqHpr+dlcujniR/fly79Hib1h9LHFAB/Zg5T3J6n5wzgpSrfWYNs
uigbB+JLMf/97XkeqLthmdDQhw0h7o88nfg5Gu1X6drSn5qbat11ZifuNeWiMmck
JxIeJ88pL9oXHzXuiVVDbsli2waTLcsxmYuVIJPnKl/HlzJMLvVBUzIoB8oUNlH7
fvOc8ALrPv5qq627uDWt9hr5g1RZZgoILkpJLPIBQ7nn01RRFVfFgLoFSKQdm2dv
DvdMPB7xpHlcid4A8MCZbLvQq6XOAIwVhgPS30q6PEnHIIVG55dxVh4KsErZCJQF
x19QF9ENzpmUDM5RdZgY
=c+Ne
-----END PGP SIGNATURE-----

Reply sent to Alessio Treglia <alessio@debian.org>:
You have taken responsibility. (Sat, 12 Oct 2013 21:21:13 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sat, 12 Oct 2013 21:21:13 GMT) (full text, mbox, link).

Message #15 received at 723714-close@bugs.debian.org (full text, mbox, reply):

From: Alessio Treglia <alessio@debian.org>
To: 723714-close@bugs.debian.org
Subject: Bug#723714: fixed in rtkit 0.10-2+wheezy1
Date: Sat, 12 Oct 2013 21:17:06 +0000
Source: rtkit
Source-Version: 0.10-2+wheezy1

We believe that the bug you reported is fixed in the latest version of
rtkit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessio Treglia <alessio@debian.org> (supplier of updated rtkit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 08 Oct 2013 09:41:41 +0100
Source: rtkit
Binary: rtkit
Architecture: source amd64
Version: 0.10-2+wheezy1
Distribution: stable
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Alessio Treglia <alessio@debian.org>
Description: 
 rtkit      - Realtime Policy and Watchdog Daemon
Closes: 723714
Changes: 
 rtkit (0.10-2+wheezy1) stable; urgency=high
 .
   * Fix CVE-2013-4326:
     - pass uid of caller to polkit, otherwise we force polkit to look up
       the uid itself in /proc, which is racy if they execve() a setuid
       binary (Closes: #723714)
Checksums-Sha1: 
 b282e8f712435e4e8f5f7d4afc606b4f37a74794 2027 rtkit_0.10-2+wheezy1.dsc
 4a8d6194e5de5629323f156d4a96b93898980b22 4714 rtkit_0.10-2+wheezy1.debian.tar.gz
 2ae45d7ae2cf04484cadfe50cba6f70938f775ad 36870 rtkit_0.10-2+wheezy1_amd64.deb
Checksums-Sha256: 
 ce5c81c99cac9353adf25bed85508709e93c08bbd3b17f40bf94d76a40356001 2027 rtkit_0.10-2+wheezy1.dsc
 ffafcb5a59362c75e20263d3e51e4f8ca5bdc7cf4b92a786897db36165125068 4714 rtkit_0.10-2+wheezy1.debian.tar.gz
 42d6fb0e1581f683cbfe345dc836ed09c885747aa930266d4d34d943102a39e0 36870 rtkit_0.10-2+wheezy1_amd64.deb
Files: 
 46e4c5275011b9b2376c45b879367f06 2027 admin optional rtkit_0.10-2+wheezy1.dsc
 3554336627be63f870c41070a96554ad 4714 admin optional rtkit_0.10-2+wheezy1.debian.tar.gz
 92716b66b795d5ccba758ba577abfca2 36870 admin optional rtkit_0.10-2+wheezy1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJSU8aoAAoJEOikiuUxHXZaLRsP/2thtLHgx1+/qT2UXXhSbwkN
dX/D6qakq4RfQIMSuXQkjcvtAdc3pEM+kfZZHV7MXR5ceHVf0o9WjBMe3UiJdfgq
8UjIicFpOJKlhMhjyABrhIgiANeBNsh/JxCKRwtQjqOsJ8grsLK8wrfRSMOz7uhm
XemtsitJgIydi6qtvP4LvyzYpLhAb/NkT+vJeGd5I3ozkqE7HpL+NkyRlBDNhXTt
pGwACI8/OBq9lXqmZpPdhp9iQkilrJXVVodDQbt+1cGO9LAEu0u2Kb++M0zpDEuj
BipgSC+rYIc8K7/pd13rZg3vkMMRfB1Z+I4H/OzMK98KZTySAi9rxELP0DJW5+en
1TV9kinIOK4EQV9j36BBQ/rATfBMBQagc8aNLg4uNh5trCUv/zUFCi7qwL0PaTEc
YJNZ8CTb+vpsosE4uZcoNthogHQS5+YAi8w2GYcddAjDaT/U5DIC+bF1CJ2PbDVO
xiq4fsnzRHbdS8+MctBRnWAu2zqoQUGPTCBMhQh8pMkFCY1EdwnAKBRfFGXaeb3+
Yp8iC8cgRcpzrzaT6EZbjYwc2FDvGvSpe79UZqFXFmhJylELXblU3ku7zFZBPHu2
WPFVeSa6NC31Mmgv7g+d3B5jaQFCqS3qy1kNy0wD9ilYSsc/Uc6TqaQ9uQzrjyVV
0qzDunFmci9JbETgtQZu
=e3Cq
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 15 Dec 2013 07:26:30 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:32:36 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started