Debian Bug report logs -
#928052
CVE-2019-11502 CVE-2019-11503
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 26 Apr 2019 21:09:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version snapd/2.37.4-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Michael Hudson-Doyle <mwhudson@debian.org>
:
Bug#928052
; Package src:snapd
.
(Fri, 26 Apr 2019 21:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Michael Hudson-Doyle <mwhudson@debian.org>
.
(Fri, 26 Apr 2019 21:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: snapd
Severity: grave
Tags: security
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11503
Cheers,
Moritz
Marked as found in versions snapd/2.37.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 08 May 2019 18:39:04 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 08 May 2019 18:39:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Michael Hudson-Doyle <mwhudson@debian.org>
:
Bug#928052
; Package src:snapd
.
(Wed, 29 May 2019 06:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Hideki Yamane <henrich@iijmio-mail.jp>
:
Extra info received and forwarded to list. Copy sent to Michael Hudson-Doyle <mwhudson@debian.org>
.
(Wed, 29 May 2019 06:21:03 GMT) (full text, mbox, link).
Message #14 received at 928052@bugs.debian.org (full text, mbox, reply):
control: tags -1 +fixed-upstream
On Fri, 26 Apr 2019 23:04:05 +0200 Moritz Muehlenhoff <jmm@debian.org> wrote:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11502
It was fixed in upstream 2.38
https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11503
It was fixed in upstream 2.39
https://github.com/snapcore/snapd/commit/187893dee84e34ed40680217d2c3ce810985f97e
--
Hideki Yamane <henrich@iijmio-mail.jp>
Added tag(s) fixed-upstream.
Request was from Hideki Yamane <henrich@iijmio-mail.jp>
to 928052-submit@bugs.debian.org
.
(Wed, 29 May 2019 06:21:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Michael Hudson-Doyle <mwhudson@debian.org>
:
Bug#928052
; Package src:snapd
.
(Sun, 09 Jun 2019 08:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Kentaro Hayashi <hayashi@clear-code.com>
:
Extra info received and forwarded to list. Copy sent to Michael Hudson-Doyle <mwhudson@debian.org>
.
(Sun, 09 Jun 2019 08:18:03 GMT) (full text, mbox, link).
Message #21 received at 928052@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tags -1 +patch
I've tried to fix only CVE-2019-11502 as a challenge.
The debdiff patch is added.
I hope it will help to fix.
[debdiff-snapd-CVE-2019-11502.patch (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Kentaro Hayashi <hayashi@clear-code.com>
to 928052-submit@bugs.debian.org
.
(Sun, 09 Jun 2019 08:18:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Michael Hudson-Doyle <mwhudson@debian.org>
:
Bug#928052
; Package src:snapd
.
(Sun, 09 Jun 2019 17:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Michael Hudson-Doyle <mwhudson@debian.org>
.
(Sun, 09 Jun 2019 17:06:05 GMT) (full text, mbox, link).
Message #28 received at 928052@bugs.debian.org (full text, mbox, reply):
Hi,
I have not reviewed the whole patch but the following appeared on my
redar while reviewing:
On Sun, Jun 09, 2019 at 05:09:15PM +0900, Kentaro Hayashi wrote:
> + [ Kentaro Hayashi ]
> + * Non-maintainer upload.
> + * d/patches/CVE-2019-11502.patch: fix unintended access to a private /tmp
> + directory. (Closes: #928052)
This should not close the bug yet as it only adresses CVE-2019-11502.
#928052 both tracks CVE-2019-11502 CVE-2019-11503. So onless I miss
smoething the changes to fix CVE-2019-11503 are missing yet.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Michael Hudson-Doyle <mwhudson@debian.org>
:
Bug#928052
; Package src:snapd
.
(Mon, 10 Jun 2019 13:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Kentaro Hayashi <hayashi@clear-code.com>
:
Extra info received and forwarded to list. Copy sent to Michael Hudson-Doyle <mwhudson@debian.org>
.
(Mon, 10 Jun 2019 13:54:03 GMT) (full text, mbox, link).
Message #33 received at 928052@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Thank you for feedback.
On Sun, 9 Jun 2019 19:03:19 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi,
>
snip
> This should not close the bug yet as it only adresses CVE-2019-11502.
> #928052 both tracks CVE-2019-11502 CVE-2019-11503. So onless I miss
> smoething the changes to fix CVE-2019-11503 are missing yet.
I've just dropped inappropriate Closes: and attached fixed debdiff again.
Regards,
[debdiff-snapd-CVE-2019-11502.p1.patch (text/x-diff, attachment)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:17:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.