Debian Bug report logs -
#903828
accountsservice: CVE-2018-14036: insufficient path check in user_change_icon_file_authorized_cb() in user.c
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>:
Bug#903828; Package src:accountsservice.
(Sun, 15 Jul 2018 12:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>.
(Sun, 15 Jul 2018 12:57:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: accountsservice
Version: 0.6.43-1
Severity: important
Tags: patch security upstream
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=107085
Control: found -1 0.6.45-1
Hi,
The following vulnerability was published for accountsservice.
CVE-2018-14036[0]:
| Directory Traversal with ../ sequences occurs in AccountsService before
| 0.6.50 because of an insufficient path check in
| user_change_icon_file_authorized_cb() in user.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-14036
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036
[1] https://bugs.freedesktop.org/show_bug.cgi?id=107085
[2] http://www.openwall.com/lists/oss-security/2018/07/02/2
[3] https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions accountsservice/0.6.45-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sun, 15 Jul 2018 12:57:05 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 19 Jul 2018 17:15:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>:
Bug#903828; Package src:accountsservice.
(Fri, 04 Jan 2019 22:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>.
(Fri, 04 Jan 2019 22:21:03 GMT) (full text, mbox, link).
Message #14 received at 903828@bugs.debian.org (full text, mbox, reply):
On Sun, Jul 15, 2018 at 02:55:15PM +0200, Salvatore Bonaccorso wrote:
> Source: accountsservice
> Version: 0.6.43-1
> Severity: important
> Tags: patch security upstream
> Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=107085
> Control: found -1 0.6.45-1
>
> Hi,
>
> The following vulnerability was published for accountsservice.
>
> CVE-2018-14036[0]:
> | Directory Traversal with ../ sequences occurs in AccountsService before
> | 0.6.50 because of an insufficient path check in
> | user_change_icon_file_authorized_cb() in user.c.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-14036
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036
> [1] https://bugs.freedesktop.org/show_bug.cgi?id=107085
> [2] http://www.openwall.com/lists/oss-security/2018/07/02/2
> [3] https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a
Can you please fix this before the buster freeze?
Cheers,
Moritz
Severity set to 'grave' from 'important'
Request was from jmm@inutil.org (Moritz Muehlenhoff)
to control@bugs.debian.org.
(Thu, 28 Feb 2019 14:48:04 GMT) (full text, mbox, link).
Reply sent
to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility.
(Tue, 05 Mar 2019 10:21:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 05 Mar 2019 10:21:07 GMT) (full text, mbox, link).
Message #21 received at 903828-close@bugs.debian.org (full text, mbox, reply):
Source: accountsservice
Source-Version: 0.6.45-2
We believe that the bug you reported is fixed in the latest version of
accountsservice, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 903828@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated accountsservice package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 05 Mar 2019 11:05:07 +0100
Source: accountsservice
Architecture: source
Version: 0.6.45-2
Distribution: unstable
Urgency: medium
Maintainer: Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Closes: 903828
Changes:
accountsservice (0.6.45-2) unstable; urgency=medium
.
[ Robert Ancell ]
* debian/patches/0006-adduser_instead_of_useradd.patch:
- Merged into 0002-create-and-manage-groups-like-on-a-debian-system.patch
* debian/patches/*:
- Removed unused patches.
.
[ Emilio Pozuelo Monfort ]
* debian/control: Update Vcs-* for move to salsa.debian.org.
.
[ Salvatore Bonaccorso ]
* user: fix insufficient path prefix check (CVE-2018-14036)
(Closes: #903828)
Checksums-Sha1:
f7d0697f5df9e77abd02ab1be34760d2a7c600b6 2652 accountsservice_0.6.45-2.dsc
e9d13e6970c52e168eb7d6dc8441a3abafed3dfa 382740 accountsservice_0.6.45.orig.tar.xz
9fb221eea0de8965165f002a9527e49e4f95c1d2 18620 accountsservice_0.6.45-2.debian.tar.xz
a50dc2bc2327c0f959ff0d9291de63d36aacff2f 8010 accountsservice_0.6.45-2_source.buildinfo
Checksums-Sha256:
11e2c6a68cd1e60dd3a1cca1d9f5fdd574d35ea14c5cfaf7a0e0084f1f5a7020 2652 accountsservice_0.6.45-2.dsc
fb0fc293aa75d59f5ef5db719d37a21831c4dd74a97526ee7e51ce936311ef26 382740 accountsservice_0.6.45.orig.tar.xz
06ccf7cb7e48949faa9731ac6ca195b8b531a08643e8d459b31d6c1c01432ee4 18620 accountsservice_0.6.45-2.debian.tar.xz
04808bbfa5401fa405903886d4ab8c147660735b788c2520479b90c63ab5552a 8010 accountsservice_0.6.45-2_source.buildinfo
Files:
523e1bdf810bff3b74247abb19b205ea 2652 admin optional accountsservice_0.6.45-2.dsc
b4c0a74bb5f8680dda0b7be27b1c02d9 382740 admin optional accountsservice_0.6.45.orig.tar.xz
defaa674b275beaf4e4fb8d28bfcff30 18620 admin optional accountsservice_0.6.45-2.debian.tar.xz
2acdf662e29325952da35ee4882f20a0 8010 admin optional accountsservice_0.6.45-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlx+SgcACgkQnUbEiOQ2
gwJjhg/+IDiBxAe0UTbZyQz7sQELBMAu9q3gIh6T03TSC4LXtq49hQs8lqhvCDzU
GLvRuxuwQ5tzb/+Fk35GtlsijhfR/Gr0c4u23w2CFOPM6h4UykMkCC1LsAGxFRj+
r0tRAZAvGuy2XXweXYHmtoT24LyYZNyr8lueIG/9TB0rXt+KxjCKApY7a7mcDWvp
Yr1jQU2E5bnDd6j/hbR+5E793e1kscRodo+P48B1kY/Vdk2Ly/BQigp5nhIJNnuq
/cHnsxh/8ABq8qVEelLYHELm2pQnjJ2mcuDNAWeLsFNFwqI6NQejpUi9GoPezkLT
Wc8anf1F9FO3dkNCiPPSfnVCoNVZQQ/EvE1Mp8R12pCvabQESQlPNx9Ez/1Y2EbH
eWN00iVip2DB3q6XddzUnp2Z3YY7DCnrDh64w2slHwwqFSUDNHOAVza9H8nmiYXm
YEWFjpGO8H7+s39jVhkWf8wnjr/Y/ED19ocIsjSIufBDCyku7xKaqtgsGMX0kTXr
Pq0q7fc4QdSb8USMJCQhqhZGqvGYmXJd6nv0NoOkDX5mX/eGMwo62ShPA9HVM8IT
OpJcg2Nf1GitSa6+p6RnbgQEn7H5uX8JwibNooAXT2GOJPjgsD3qAQ/pZ7zjk0Fu
9JYlYH8ymYlzsTlbkTArmazAcrIogGxhcZQPAcYAdj+Llfl8hl0=
=+/O9
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:21:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon