Bug#906308: CVE-2018-14348

Markus Koschany Sun, 19 Aug 2018 14:36:59 -0700

Dear maintainer,

I've uploaded a new revision versioned as 0.48-8.1 to fix CVE-2018-14348.


Please find attached the debdiff.

Regards,

Markus

diff -Nru libcgroup-0.41/debian/changelog libcgroup-0.41/debian/changelog
--- libcgroup-0.41/debian/changelog     2016-04-24 18:51:45.000000000 +0200
+++ libcgroup-0.41/debian/changelog     2018-08-19 23:10:45.000000000 +0200
@@ -1,3 +1,12 @@
+libcgroup (0.41-8.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2018-14348:
+    It was discovered that the cgrulesengd daemon would create a log file which
+    would allow any user to write to it. (Closes: #906308)
+
+ -- Markus Koschany <a...@debian.org>  Sun, 19 Aug 2018 23:10:45 +0200
+
 libcgroup (0.41-8) unstable; urgency=medium
 
   * Drop package libcgroup-dbg in favor of automatic dbgsym packages.
diff -Nru libcgroup-0.41/debian/patches/CVE-2018-14348.patch 
libcgroup-0.41/debian/patches/CVE-2018-14348.patch
--- libcgroup-0.41/debian/patches/CVE-2018-14348.patch  1970-01-01 
01:00:00.000000000 +0100
+++ libcgroup-0.41/debian/patches/CVE-2018-14348.patch  2018-08-19 
23:10:45.000000000 +0200
@@ -0,0 +1,23 @@
+From: Markus Koschany <a...@debian.org>
+Date: Sun, 19 Aug 2018 23:09:25 +0200
+Subject: CVE-2018-14348
+
+Bug-Debian: https://bugs.debian.org/906308
+Origin: 
https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590/
+---
+ src/daemon/cgrulesengd.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
+index 367b898..ffd1fc3 100644
+--- a/src/daemon/cgrulesengd.c
++++ b/src/daemon/cgrulesengd.c
+@@ -886,8 +886,6 @@ int cgre_start_daemon(const char *logp, const int logf,
+                       exit(EXIT_SUCCESS);
+               }
+ 
+-              /* Change the file mode mask. */
+-              umask(0);
+       } else {
+               flog(LOG_DEBUG, "Not using daemon mode\n");
+               pid = getpid();
diff -Nru libcgroup-0.41/debian/patches/series 
libcgroup-0.41/debian/patches/series
--- libcgroup-0.41/debian/patches/series        2016-04-24 18:51:45.000000000 
+0200
+++ libcgroup-0.41/debian/patches/series        2018-08-19 23:10:45.000000000 
+0200
@@ -4,3 +4,4 @@
 initscript-return.patch
 Syntax-fixes-for-man-pages.patch
 pam_cgroup-Revert-broken-cache-usage.patch
+CVE-2018-14348.patch

signature.asc
Description: OpenPGP digital signature

Bug#906308: CVE-2018-14348

Reply via email to