Debian Bug report logs -
#899170
procps: CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 20 May 2018 09:30:01 UTC
Severity: important
Tags: security, upstream
Found in version procps/2:3.3.9-9
Fixed in versions procps/2:3.3.12-3+deb9u1, procps/2:3.3.9-9+deb8u1, procps/2:3.3.15-1
Done: Craig Small <csmall@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Craig Small <csmall@debian.org>:
Bug#899170; Package src:procps.
(Sun, 20 May 2018 09:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Craig Small <csmall@debian.org>.
(Sun, 20 May 2018 09:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: procps
Version: 2:3.3.9-9
Severity: important
Tags: security upstream
Control: fixed -1 2:3.3.9-9+deb8u1
Control: fixed -1 2:3.3.12-3+deb9u1
Hi,
The following vulnerabilities were published for procps, filling the
bug to track the issue in the Debian BTS.
CVE-2018-1122[0]:
Local Privilege Escalation in top
CVE-2018-1123[1]:
Denial of Service in ps
CVE-2018-1124[2]:
Local Privilege Escalation in libprocps
CVE-2018-1125[3]:
0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch
CVE-2018-1126[4]:
0035-proc-alloc.-Use-size_t-not-unsigned-int.patch
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1122
[1] https://security-tracker.debian.org/tracker/CVE-2018-1123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1123
[2] https://security-tracker.debian.org/tracker/CVE-2018-1124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1124
[3] https://security-tracker.debian.org/tracker/CVE-2018-1125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1125
[4] https://security-tracker.debian.org/tracker/CVE-2018-1126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1126
[5] http://www.openwall.com/lists/oss-security/2018/05/17/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as fixed in versions procps/2:3.3.9-9+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sun, 20 May 2018 09:30:05 GMT) (full text, mbox, link).
Marked as fixed in versions procps/2:3.3.12-3+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sun, 20 May 2018 09:30:05 GMT) (full text, mbox, link).
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Sun, 20 May 2018 16:03:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 20 May 2018 16:03:06 GMT) (full text, mbox, link).
Message #14 received at 899170-close@bugs.debian.org (full text, mbox, reply):
Source: procps
Source-Version: 2:3.3.15-1
We believe that the bug you reported is fixed in the latest version of
procps, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 899170@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated procps package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 20 May 2018 19:41:46 +1000
Source: procps
Binary: procps libprocps7 libprocps-dev
Architecture: source amd64
Version: 2:3.3.15-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
libprocps-dev - library for accessing process information from /proc
libprocps7 - library for accessing process information from /proc
procps - /proc file system utilities
Closes: 899170
Changes:
procps (2:3.3.15-1) unstable; urgency=medium
.
* New upstream release Closes: #899170
* library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
* library: Use size_t for alloc functions CVE-2018-1126
* pgrep: Fix stack-based buffer overflow CVE-2018-1125
* ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
* Command Name increased from 16 to 64 characters
Checksums-Sha1:
d527b881ca6681665ce6430b1b8440738e0aa4c6 2104 procps_3.3.15-1.dsc
3139aab2d7b746ecc4e8d44dd06aaa2cda3a24ed 903372 procps_3.3.15.orig.tar.xz
0c3e4e30cffc57ad217caa2491a44684965b7042 28020 procps_3.3.15-1.debian.tar.xz
8a9812677a56c22c6db9cb65837a152c5a501289 73792 libprocps-dev_3.3.15-1_amd64.deb
313c0317cac75cb6fa5c8f126e11dad6cf3f30d9 77168 libprocps7-dbgsym_3.3.15-1_amd64.deb
382e4f699de91b26c2842b870fa7b8a3f5eb05e1 61652 libprocps7_3.3.15-1_amd64.deb
8725172ff5b238165410704a896e212d0eb02803 365772 procps-dbgsym_3.3.15-1_amd64.deb
ebbed8ef3e4f84b9ee2956dcf4dcaf42653d6230 6896 procps_3.3.15-1_amd64.buildinfo
8ce4fb5f3662f8702280c9aef74fac6687927ecf 258988 procps_3.3.15-1_amd64.deb
Checksums-Sha256:
f88f2350ed17c731136adf1511c57e57fd80ca0f3da7d367481122563ae89910 2104 procps_3.3.15-1.dsc
82e8aa55b65eac116eee05f00d2a884a6374760d57100edd429d6e9b4953458d 903372 procps_3.3.15.orig.tar.xz
22f409919a24a750b265c18c0e1cf49c04e8823a5e6f190615495fe52efa1c95 28020 procps_3.3.15-1.debian.tar.xz
5fbc3b12b6329102450d32e1598528989e45b06ea3298cfadc42800f662eb1cf 73792 libprocps-dev_3.3.15-1_amd64.deb
eb5cc8ca2c58db4cda8ec3a0ff3808408aed8f951be24589e9a2d2852c541383 77168 libprocps7-dbgsym_3.3.15-1_amd64.deb
0929be5eedb15d82b2a682ee5f1d6873c43bd05af0059d6f820358d73acdc508 61652 libprocps7_3.3.15-1_amd64.deb
740257f90af7db439f64432992eeeb81f81dca16482200a9b6809f93c9b7aba4 365772 procps-dbgsym_3.3.15-1_amd64.deb
f98912a6e6399aff6de431c5d683fc69bdad265267d3668df9d3965b5af885fb 6896 procps_3.3.15-1_amd64.buildinfo
0d540f02456955da1cf9c5813bf932db920b0c8e0adbe5d2e9f2a7a77fa3c3a3 258988 procps_3.3.15-1_amd64.deb
Files:
96c18a8479ee538607f497de847de249 2104 admin optional procps_3.3.15-1.dsc
14b2f6066d82c67387d7a4cbd37f6876 903372 admin optional procps_3.3.15.orig.tar.xz
cbee4310dd8ef77446c959fac621a22a 28020 admin optional procps_3.3.15-1.debian.tar.xz
1ebef3925ce04cf82ed4ab9a04c03be0 73792 libdevel optional libprocps-dev_3.3.15-1_amd64.deb
61b57846e5c21ee1e483044e774e63d4 77168 debug optional libprocps7-dbgsym_3.3.15-1_amd64.deb
50652bf7b77ba81d438a4fd8a129f24a 61652 libs optional libprocps7_3.3.15-1_amd64.deb
408dbd3af5ca25ffc46373ec60285364 365772 debug optional procps-dbgsym_3.3.15-1_amd64.deb
4fce701ab5c8445e8a97ef149e859d4f 6896 admin optional procps_3.3.15-1_amd64.buildinfo
35bf345e24ac98b2d60961d4379ff2b4 258988 admin important procps_3.3.15-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlsBRooACgkQAiFmwP88
hOM7uhAApNYzdnrNi4xBm78gv/wmpuNhH66PtPHk64prY187jFES4mYl+hGPgfsi
vY0HxQc3ZZJWbwNx2c+f3loILz3qkcfvqVUiQlbWq71ztA6qTIRZqTKMf73srggw
Ok6s29WDLdsXVFRZ9A30W2jWyrd78LqpMUEA4gLATdxWJC/NPC/6QDDFPtzibVrF
OsB+GzlD7xd/ul4uxRg4tvT2/z6eQMtZ2zAHh4UrYEN18RhenmuC0MtKfSb9yXx7
SDByHQXbx4Q++p+evKLwA1x5ypIfGglyW2Q4GauaKNT56bmzKfCdnA3YAeFmQdLr
ijM02U2obfESTomK9kGnUJ9Q9dtvE0f5SQrhtSkTeflbKhOVKESvP2+/17EcLwzK
0uXtm6gUE3r50KmLipFVAD5AtOO+ZuuV/XNotBd4bQgAGVK8yCLOzXq0aqlwvs07
HW+K2jixB9zufS1DIibblX+CwubaHG4gpR0GvUQi8RfJvciyqX/Qef0p+S/RluIf
PT5zzxOqvfesMcQs5Ul1PZvMWy7ffQ/Y7gb5Bc54MmTzGZEbCtMAFXfhdkYg5UJP
pveGFL879B46YdIoYQf3GZz4KhUAnLN6i6QS5/Bpaqi29w7Obar9/dz8vBWJcOtw
2ZuBnt4uceHV21RrFfJszIKo+rZyTjIKUZ2JSjCOWVs70h7duHg=
=xsbB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 03 Jul 2018 07:32:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:05:16 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon