[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1030168: marked as done (pesign: CVE-2022-3560: Local privilege escalation on pesign systemd service)

Your message dated Wed, 01 Nov 2023 23:04:35 +0000
with message-id <E1qyKGJ-003kfR-TV@fasolo.debian.org>
and subject line Bug#1030168: fixed in pesign 116-1
has caused the Debian Bug report #1030168,
regarding pesign: CVE-2022-3560: Local privilege escalation on pesign systemd service
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1030168: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030168
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: pesign
Version: 0.112-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for pesign.

I'm filling it for now still as severity grave, but feel free to
downgrade if you do not agree on RC level bug. That said, it needs an
unprivileged with access to the pesign user or group.

The code has been substantial refactored upstream, and I think the
issue i still present in the older versions, where the service is
using the pesign-authorize-groups and pesign-authorize-users scripts.

CVE-2022-3560[0]:
| Local privilege escalation on pesign systemd service

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-3560
    https://www.cve.org/CVERecord?id=CVE-2022-3560
[1] https://www.openwall.com/lists/oss-security/2023/01/31/6
[2] https://github.com/rhboot/pesign/commit/d8a8c259994d0278c59b30b41758a8dd0abff998 

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: pesign
Source-Version: 116-1
Done: Steve McIntyre <93sam@debian.org>

We believe that the bug you reported is fixed in the latest version of
pesign, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1030168@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated pesign package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Nov 2023 22:25:43 +0000
Source: pesign
Architecture: source
Version: 116-1
Distribution: unstable
Urgency: medium
Maintainer: Debian UEFI maintainers <debian-efi@lists.debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Closes: 964157 1003787 1015578 1030168 1054449
Changes:
 pesign (116-1) unstable; urgency=medium
 .
   * New upstream version 116
     * Remove old patches, all upstream now
     * Add new patches:
       * Remove bashisms in Makefiles
       * Update a patch to make build reproducible. Closes: #1003787
     * Various programs are now gone, fix up packaging to match:
       * efisiglist; replaced by efisecdb in the efivar package
       * pesign-authorize-users / pesign-authorize-groups
         (Fixes CVE-2022-3560, Closes: #1030168)
     * No longer uses /var/run. Closes: 964157
   * Add build-dep on new libefisec-dev
   * Move user/group setup from preinst to postinst, and add a
     dependency on passwd. Closes: #1054449
   * Now seems to work OK using LTO in the build. Closes: #1015578.
Checksums-Sha1:
 8f6252459886688fdf3bffcffd30fa562a7e6585 2135 pesign_116-1.dsc
 f11d00d08b55d0e6ca209c81adabad799832cd00 120424 pesign_116.orig.tar.bz2
 61de6cfee58d2459c1d69d0ee313899212022716 11144 pesign_116-1.debian.tar.xz
 1755ba868d0187f553794233f69661d45b5c46fa 6935 pesign_116-1_source.buildinfo
Checksums-Sha256:
 4b4080812f19a1cf5128d62abfa41bab7e5560c0912102316220ff91af1df59a 2135 pesign_116-1.dsc
 35331f75689863e5be595f2bb04a8bc934ce734b8d76fa5d6aeb4d85424e8996 120424 pesign_116.orig.tar.bz2
 2346ee31809f426ff8d9d92cfe30297490801c4ce46f3db068d8fbb48ee26a30 11144 pesign_116-1.debian.tar.xz
 2dc35e10ec0d780743a826fbcc80cca5e94034aa8d0a4faf4d8e69a4261b20a2 6935 pesign_116-1_source.buildinfo
Files:
 f7668b6e49662745edbfbd058d6826c5 2135 devel optional pesign_116-1.dsc
 10cd95bf1bee5097321efc141e8ab292 120424 devel optional pesign_116.orig.tar.bz2
 75d01755f6de87155d7ad2bbdfc04001 11144 devel optional pesign_116-1.debian.tar.xz
 33bc1c96276e94941c443089a7f959a3 6935 devel optional pesign_116-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmVC1dwRHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE6gbg/+OdW0MAWLVSnl319foC00aEV4DqxRPKQU
4E2dxIC/08Hv/Vw1wdsiDT6HNx+kf+vcbZ4B4+B2mWtGI7dAg9p4XBpdgS7LEk2B
A5wN7uEuU76GKADNM2/fpiU36ucJmzcBh2uCVqcSN5wD2qSRRyy4tmXE63RLzqLH
W90vDVFdndmh4WfPMddjyqItf9PIJJRA7FjcCeIKlP+qS14J25gsSCKWV26dkdXB
9w84NVMVvDk8yn3eH6ZvyLH5jzMswVudCDAGsn2K3LGikEYzScMA0PtULOt8XkvA
UMhtmU56DX5/Uhmq+KpIzsj4C3Vph9Hdlr0z7SD9nKUs2hgqDvBGlSJKEPdq6BVp
utX3ohXtpemIN1xA/80KWXZInbVgG2KK4IwmDKYWWqquM/f1aVlvVlS4idMo1XzM
8f5qMzy0crcWCL+BYzOjSPo701oAR0wcxbndC6ixAWuw1yPM2BJ8y/R+H4fj90c1
pTpqVLPOAqQvDdMI9KUCjrymxLLQNXfezuvY5AIaO1nBTKSOCle8ZlHxkaWDhWmf
pafxmeoOLUJqrl2q+E2Zv/FVceKd2MjfHcBh43kQkckI37wsRxD6olsRg29lcTUG
9rdkyMgrfBtd9Cu4k1/9MFOAADk+aRrE9Yc4c+nKXUbwbx4FPE6slossFGSN+jr3
OoCpbVVHrhI=
=GcHr
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: