Re: CVE-2018-10380: kwallet-pam: Access to privileged files

To: Maximiliano Curia <maxy@gnuservers.com.ar>
Cc: Debian Security Team <team@security.debian.org>, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Subject: Re: CVE-2018-10380: kwallet-pam: Access to privileged files
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 9 May 2018 23:29:49 +0200
Message-id: <[🔎] 20180509212949.GA32640@inutil.org>
In-reply-to: <[🔎] 20180509203032.is4jtjttuxayrp3g@neoptolemo.gnuservers.com.ar>
References: <[🔎] 20180503172942.mhryiotucmflgwrb@neoptolemo.gnuservers.com.ar> <[🔎] 20180503205659.GA32593@inutil.org> <[🔎] 20180503211853.5dj6tgllh46oyamj@neoptolemo.gnuservers.com.ar> <[🔎] 20180504191047.zsuyqvv7djrauhte@neoptolemo.gnuservers.com.ar> <[🔎] 20180509182853.GB17369@pisco.westfalen.local> <[🔎] 20180509203032.is4jtjttuxayrp3g@neoptolemo.gnuservers.com.ar>

On Wed, May 09, 2018 at 10:30:32PM +0200, Maximiliano Curia wrote:
> ¡Hola Moritz!
> 
> El 2018-05-09 a las 20:28 +0200, Moritz Mühlenhoff escribió:
> >On Fri, May 04, 2018 at 09:10:47PM +0200, Maximiliano Curia wrote:
> >>¡Hola Moritz!
> 
> >>El 2018-05-03 a las 23:18 +0200, Maximiliano Curia escribió:
> >>>¡Hola Moritz!
> 
> >>>El 2018-05-03 a las 22:56 +0200, Moritz Muehlenhoff escribió:
> >>>>On Thu, May 03, 2018 at 07:29:42PM +0200, Maximiliano Curia wrote:
> >>>>>Hi,
> 
> >>>>>Following up the upstream announcement of a security flaw in
> >>>>>kwallet-pam [1] I would like to upload the upstream fixes to
> >>>>>stretch. All the versions prior the (not yet released) 5.12.6 are
> >>>>>affected by this. The fix was backported by upstream to plasma 5.8,
> >>>>>which is what we shipped in stretch.
> 
> >>>>>The latest 5.8 upstream version (5.8.9), only has a version bump,
> >>>>>and a minor translation update, which are not relevant. [2]
> 
> >>>>>I have already uploaded the fixes to unstable.
> 
> >>>>>I'm attaching the corresponding debdiff.
> 
> >>>>Looks good. Please build with -sa since kwallet-pam is new in stretch-security
> >>>>and upload to security-master. I'll take care of the DSA.
> 
> >>>Uploaded, thanks for taking care of this!
> 
> >>If you the patched versions are still not published, please don't publish
> >>them, there are a couple of reported regressions with the patches as is.
> 
> >>https://bugs.kde.org/show_bug.cgi?id=393856
> 
> >>https://bugs.debian.org/897687
> 
> >>https://bugs.launchpad.net/ubuntu/+source/kwallet-pam/+bug/1769187
> 
> >>https://bugs.archlinux.org/task/58446?project=1&string=kwallet-pam
> 
> >>I'm really sorry about this.
> 
> >Is the stderr fix all that was needed in addition? If so, can you
> >upload a revised package?
> 
> Reuploaded, I used the same version, let me know if you prefer/need a version bump.
> 
> Thanks for working on this.

Please bump the version, resetting the build status of an existing build for
the security mirrors is a fairly brittle process...

Cheers,
        Moritz

Reply to:

References:
- CVE-2018-10380: kwallet-pam: Access to privileged files
  - From: Maximiliano Curia <maxy@gnuservers.com.ar>
- Re: CVE-2018-10380: kwallet-pam: Access to privileged files
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: CVE-2018-10380: kwallet-pam: Access to privileged files
  - From: Maximiliano Curia <maxy@debian.org>
- Re: CVE-2018-10380: kwallet-pam: Access to privileged files
  - From: Maximiliano Curia <maxy@debian.org>
- Re: CVE-2018-10380: kwallet-pam: Access to privileged files
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: CVE-2018-10380: kwallet-pam: Access to privileged files
  - From: Maximiliano Curia <maxy@gnuservers.com.ar>

Prev by Date: Re: CVE-2018-10380: kwallet-pam: Access to privileged files
Next by Date: Bug#898320: kdeconnect: 1.3.0 does not work with 1.8.2 android version
Previous by thread: Re: CVE-2018-10380: kwallet-pam: Access to privileged files
Next by thread: Bug#897649: kdeclarative: Please update symbols for riscv64
Index(es):
- Date
- Thread