Your message dated Sat, 10 Nov 2018 10:42:56 +0000 with message-id <1541846576.3542.38.camel@adam-barratt.org.uk> and subject line Closing bugs for updates included in 9.6 has caused the Debian Bug report #907386, regarding stretch-pu: package libcgroup/0.41-8 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 907386: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907386 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package libcgroup/0.41-8
- From: Markus Koschany <apo@debian.org>
- Date: Mon, 27 Aug 2018 12:22:27 +0200
- Message-id: <153536534710.14366.10612777122523700730.reportbug@spike>
Package: release.debian.org Severity: normal Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu Dear release team, I would like to update libcgroup in Stretch which is affected by CVE-2018-14348. The security team has marked this issue as no-dsa. Please find attached the debdiff. See also https://bugs.debian.org/906308. Regards, Markusdiff -Nru libcgroup-0.41/debian/changelog libcgroup-0.41/debian/changelog --- libcgroup-0.41/debian/changelog 2016-04-24 18:51:45.000000000 +0200 +++ libcgroup-0.41/debian/changelog 2018-08-19 23:10:45.000000000 +0200 @@ -1,3 +1,13 @@ +libcgroup (0.41-8+deb9u1) stretch; urgency=high + + * Non-maintainer upload. + * Fix CVE-2018-14348: + The cgrulesengd daemon in libcgroup creates log files with world readable + and writable permissions due to a reset of the file mode creation mask + (umask(0)). (Closes: #906308) + + -- Markus Koschany <apo@debian.org> Sun, 19 Aug 2018 23:10:45 +0200 + libcgroup (0.41-8) unstable; urgency=medium * Drop package libcgroup-dbg in favor of automatic dbgsym packages. diff -Nru libcgroup-0.41/debian/patches/CVE-2018-14348.patch libcgroup-0.41/debian/patches/CVE-2018-14348.patch --- libcgroup-0.41/debian/patches/CVE-2018-14348.patch 1970-01-01 01:00:00.000000000 +0100 +++ libcgroup-0.41/debian/patches/CVE-2018-14348.patch 2018-08-19 23:10:45.000000000 +0200 @@ -0,0 +1,23 @@ +From: Markus Koschany <apo@debian.org> +Date: Sun, 19 Aug 2018 23:09:25 +0200 +Subject: CVE-2018-14348 + +Bug-Debian: https://bugs.debian.org/906308 +Origin: https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590/ +--- + src/daemon/cgrulesengd.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c +index 367b898..ffd1fc3 100644 +--- a/src/daemon/cgrulesengd.c ++++ b/src/daemon/cgrulesengd.c +@@ -886,8 +886,6 @@ int cgre_start_daemon(const char *logp, const int logf, + exit(EXIT_SUCCESS); + } + +- /* Change the file mode mask. */ +- umask(0); + } else { + flog(LOG_DEBUG, "Not using daemon mode\n"); + pid = getpid(); diff -Nru libcgroup-0.41/debian/patches/series libcgroup-0.41/debian/patches/series --- libcgroup-0.41/debian/patches/series 2016-04-24 18:51:45.000000000 +0200 +++ libcgroup-0.41/debian/patches/series 2018-08-19 23:10:45.000000000 +0200 @@ -4,3 +4,4 @@ initscript-return.patch Syntax-fixes-for-man-pages.patch pam_cgroup-Revert-broken-cache-usage.patch +CVE-2018-14348.patch
--- End Message ---
--- Begin Message ---
- To: 886146-done@bugs.debian.org, 891566-done@bugs.debian.org, 891651-done@bugs.debian.org, 891652-done@bugs.debian.org, 891801-done@bugs.debian.org, 892764-done@bugs.debian.org, 892774-done@bugs.debian.org, 893749-done@bugs.debian.org, 895537-done@bugs.debian.org, 898741-done@bugs.debian.org, 899050-done@bugs.debian.org, 903656-done@bugs.debian.org, 903786-done@bugs.debian.org, 904196-done@bugs.debian.org, 904199-done@bugs.debian.org, 904213-done@bugs.debian.org, 904307-done@bugs.debian.org, 904662-done@bugs.debian.org, 905232-done@bugs.debian.org, 905712-done@bugs.debian.org, 905762-done@bugs.debian.org, 906042-done@bugs.debian.org, 906088-done@bugs.debian.org, 906145-done@bugs.debian.org, 906167-done@bugs.debian.org, 906741-done@bugs.debian.org, 906814-done@bugs.debian.org, 906857-done@bugs.debian.org, 907124-done@bugs.debian.org, 907386-done@bugs.debian.org, 907584-done@bugs.debian.org, 907719-done@bugs.debian.org, 907865-done@bugs.debian.org, 907899-done@bugs.debian.org, 908357-done@bugs.debian.org, 908388-done@bugs.debian.org, 908389-done@bugs.debian.org, 908474-done@bugs.debian.org, 908612-done@bugs.debian.org, 908893-done@bugs.debian.org, 908913-done@bugs.debian.org, 908956-done@bugs.debian.org, 908958-done@bugs.debian.org, 909007-done@bugs.debian.org, 909119-done@bugs.debian.org, 909526-done@bugs.debian.org, 909807-done@bugs.debian.org, 909842-done@bugs.debian.org, 909953-done@bugs.debian.org, 910065-done@bugs.debian.org, 910371-done@bugs.debian.org, 910396-done@bugs.debian.org, 910398-done@bugs.debian.org, 910445-done@bugs.debian.org, 910481-done@bugs.debian.org, 910610-done@bugs.debian.org, 910628-done@bugs.debian.org, 910629-done@bugs.debian.org, 910719-done@bugs.debian.org, 910821-done@bugs.debian.org, 910969-done@bugs.debian.org, 911114-done@bugs.debian.org, 911186-done@bugs.debian.org, 911220-done@bugs.debian.org, 911244-done@bugs.debian.org, 911347-done@bugs.debian.org, 911494-done@bugs.debian.org, 911767-done@bugs.debian.org, 911992-done@bugs.debian.org, 912032-done@bugs.debian.org, 912159-done@bugs.debian.org, 912169-done@bugs.debian.org, 912170-done@bugs.debian.org, 912191-done@bugs.debian.org, 912194-done@bugs.debian.org, 912198-done@bugs.debian.org, 912336-done@bugs.debian.org, 912401-done@bugs.debian.org, 912425-done@bugs.debian.org, 912444-done@bugs.debian.org, 912462-done@bugs.debian.org, 912629-done@bugs.debian.org, 912770-done@bugs.debian.org, 912820-done@bugs.debian.org
- Subject: Closing bugs for updates included in 9.6
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 10 Nov 2018 10:42:56 +0000
- Message-id: <1541846576.3542.38.camel@adam-barratt.org.uk>
Version: 9.6 Hi, The update referenced by each of these bugs was included in this morning's stretch point release. Regards, Adam
--- End Message ---