Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1049365: inetutils: CVE-2023-40303
22 views
Skip to first unread message
Salvatore Bonaccorso
Aug 14, 2023, 2:50:05 PM8/14/23
to
Source: inetutils
Version: 2:2.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for inetutils.
CVE-2023-40303[0]:
| GNU inetutils through 2.4 may allow privilege escalation because of
| unchecked return values of set*id() family functions in ftpd, rcp,
| rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the
| setuid system call fails when a process is trying to drop privileges
| before letting an ordinary user control the activities of the
| process.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-40303
https://www.cve.org/CVERecord?id=CVE-2023-40303
[1] https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
[2] https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Version: 2:2.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for inetutils.
CVE-2023-40303[0]:
| GNU inetutils through 2.4 may allow privilege escalation because of
| unchecked return values of set*id() family functions in ftpd, rcp,
| rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the
| setuid system call fails when a process is trying to drop privileges
| before letting an ordinary user control the activities of the
| process.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-40303
https://www.cve.org/CVERecord?id=CVE-2023-40303
[1] https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
[2] https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Guillem Jover
Aug 16, 2023, 7:30:04 PM8/16/23
to
Hi!
On Mon, 2023-08-14 at 20:42:10 +0200, Salvatore Bonaccorso wrote:
> Source: inetutils
> Version: 2:2.4-2
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
it was much of an issue for ftpd. But I've now cherry picked the patch
locally, and included it as part of the next Debian package revision,
which I need to polish a bit but will be uploading in a couple of days
at most.
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-40303
> https://www.cve.org/CVERecord?id=CVE-2023-40303
> [1] https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
> [2] https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html
>
> Please adjust the affected versions in the BTS as needed.
Right, I think this affects pretty much all inetutils versions from a
quick «git log -p», but will double check to make sure.
Thanks,
Guillem
On Mon, 2023-08-14 at 20:42:10 +0200, Salvatore Bonaccorso wrote:
> Source: inetutils
> Version: 2:2.4-2
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
> The following vulnerability was published for inetutils.
>
> CVE-2023-40303[0]:
> | GNU inetutils through 2.4 may allow privilege escalation because of
> | unchecked return values of set*id() family functions in ftpd, rcp,
> | rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the
> | setuid system call fails when a process is trying to drop privileges
> | before letting an ordinary user control the activities of the
> | process.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Thanks! I had seen this in the upstream mailing list but did not think
>
> CVE-2023-40303[0]:
> | GNU inetutils through 2.4 may allow privilege escalation because of
> | unchecked return values of set*id() family functions in ftpd, rcp,
> | rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the
> | setuid system call fails when a process is trying to drop privileges
> | before letting an ordinary user control the activities of the
> | process.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
it was much of an issue for ftpd. But I've now cherry picked the patch
locally, and included it as part of the next Debian package revision,
which I need to polish a bit but will be uploading in a couple of days
at most.
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-40303
> https://www.cve.org/CVERecord?id=CVE-2023-40303
> [1] https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
> [2] https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html
>
> Please adjust the affected versions in the BTS as needed.
quick «git log -p», but will double check to make sure.
Thanks,
Guillem
Salvatore Bonaccorso
Aug 17, 2023, 12:40:05 AM8/17/23
to
Hi Guillem,
Nice to read from you.
On Thu, Aug 17, 2023 at 01:19:34AM +0200, Guillem Jover wrote:
> Hi!
>
> On Mon, 2023-08-14 at 20:42:10 +0200, Salvatore Bonaccorso wrote:
> > Source: inetutils
> > Version: 2:2.4-2
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
>
> > The following vulnerability was published for inetutils.
> >
> > CVE-2023-40303[0]:
> > | GNU inetutils through 2.4 may allow privilege escalation because of
> > | unchecked return values of set*id() family functions in ftpd, rcp,
> > | rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the
> > | setuid system call fails when a process is trying to drop privileges
> > | before letting an ordinary user control the activities of the
> > | process.
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> Thanks! I had seen this in the upstream mailing list but did not think
> it was much of an issue for ftpd. But I've now cherry picked the patch
> locally, and included it as part of the next Debian package revision,
> which I need to polish a bit but will be uploading in a couple of days
> at most.
Ack, it is not super urgent I think, and note for bookworm and
bullseye we marked it as no-dsa. So while no DSA needed, if you have
time as well for the lower suites a fix might go into the upcoming
next point releases.
Regards,
Salvatore
Nice to read from you.
On Thu, Aug 17, 2023 at 01:19:34AM +0200, Guillem Jover wrote:
> Hi!
>
> On Mon, 2023-08-14 at 20:42:10 +0200, Salvatore Bonaccorso wrote:
> > Source: inetutils
> > Version: 2:2.4-2
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
>
> > The following vulnerability was published for inetutils.
> >
> > CVE-2023-40303[0]:
> > | GNU inetutils through 2.4 may allow privilege escalation because of
> > | unchecked return values of set*id() family functions in ftpd, rcp,
> > | rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the
> > | setuid system call fails when a process is trying to drop privileges
> > | before letting an ordinary user control the activities of the
> > | process.
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> Thanks! I had seen this in the upstream mailing list but did not think
> it was much of an issue for ftpd. But I've now cherry picked the patch
> locally, and included it as part of the next Debian package revision,
> which I need to polish a bit but will be uploading in a couple of days
> at most.
bullseye we marked it as no-dsa. So while no DSA needed, if you have
time as well for the lower suites a fix might go into the upcoming
next point releases.
Regards,
Salvatore
0 new messages