Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi
Please unblock package eject
Ilja Van Sprundel discovered that the dmcrypt-get-device helper used to
check if a given device is an encrypted device handled by devmapper, and used
in eject, does not check return values from setuid() and setgid() when dropping
privileges. It is not clear if that can be used to execute code as root, since
all what comes after dropping privileges should be actually from trusted
source. But we wanted to be rather sure and released a DSA for eject.
Attached is the debdiff against the version in testing.
unblock eject/2.1.5+deb1+cvs20081104-13.2
Regards,
Salvatore
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u eject-2.1.5+deb1+cvs20081104/debian/changelog
eject-2.1.5+deb1+cvs20081104/debian/changelog
--- eject-2.1.5+deb1+cvs20081104/debian/changelog
+++ eject-2.1.5+deb1+cvs20081104/debian/changelog
@@ -1,3 +1,11 @@
+eject (2.1.5+deb1+cvs20081104-13.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2017-6964: Check the return values when dropping privileges
+ (Closes: #858872)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Tue, 28 Mar 2017 06:22:15 +0200
+
eject (2.1.5+deb1+cvs20081104-13.1) unstable; urgency=low
[ Ankit Sinha ]
diff -u eject-2.1.5+deb1+cvs20081104/dmcrypt-get-device.c
eject-2.1.5+deb1+cvs20081104/dmcrypt-get-device.c
--- eject-2.1.5+deb1+cvs20081104/dmcrypt-get-device.c
+++ eject-2.1.5+deb1+cvs20081104/dmcrypt-get-device.c
@@ -58,8 +58,10 @@
return 1;
/* Drop all privileges */
- setgid(getgid());
- setuid(getuid());
+ if (setgid(getgid()))
+ return 1;
+ if (setuid(getuid()))
+ return 1;
if (!dm_task_get_info(dmt, &dmi))
return 1;
