[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#858917: unblock: eject/2.1.5+deb1+cvs20081104-13.2

Control: tags -1 confirmed

Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package eject
> 
> Ilja Van Sprundel discovered that the dmcrypt-get-device helper used to
> check if a given device is an encrypted device handled by devmapper, and used
> in eject, does not check return values from setuid() and setgid() when dropping
> privileges. It is not clear if that can be used to execute code as root, since
> all what comes after dropping privileges should be actually from trusted
> source. But we wanted to be rather sure and released a DSA for eject.
> 
> Attached is the debdiff against the version in testing.
> 
> unblock eject/2.1.5+deb1+cvs20081104-13.2
> 
> Regards,
> Salvatore
> 
> [...]

Ok with me; CC'ing KiBi for a d-i ack.

Thanks,
~Niels
Reply to: