Bug#907386: stretch-pu: package libcgroup/0.41-8
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I would like to update libcgroup in Stretch which is affected by
CVE-2018-14348. The security team has marked this issue as no-dsa.
Please find attached the debdiff. See also
https://bugs.debian.org/906308.
Regards,
Markus
diff -Nru libcgroup-0.41/debian/changelog libcgroup-0.41/debian/changelog
--- libcgroup-0.41/debian/changelog 2016-04-24 18:51:45.000000000 +0200
+++ libcgroup-0.41/debian/changelog 2018-08-19 23:10:45.000000000 +0200
@@ -1,3 +1,13 @@
+libcgroup (0.41-8+deb9u1) stretch; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2018-14348:
+ The cgrulesengd daemon in libcgroup creates log files with world readable
+ and writable permissions due to a reset of the file mode creation mask
+ (umask(0)). (Closes: #906308)
+
+ -- Markus Koschany <apo@debian.org> Sun, 19 Aug 2018 23:10:45 +0200
+
libcgroup (0.41-8) unstable; urgency=medium
* Drop package libcgroup-dbg in favor of automatic dbgsym packages.
diff -Nru libcgroup-0.41/debian/patches/CVE-2018-14348.patch libcgroup-0.41/debian/patches/CVE-2018-14348.patch
--- libcgroup-0.41/debian/patches/CVE-2018-14348.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcgroup-0.41/debian/patches/CVE-2018-14348.patch 2018-08-19 23:10:45.000000000 +0200
@@ -0,0 +1,23 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 19 Aug 2018 23:09:25 +0200
+Subject: CVE-2018-14348
+
+Bug-Debian: https://bugs.debian.org/906308
+Origin: https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590/
+---
+ src/daemon/cgrulesengd.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
+index 367b898..ffd1fc3 100644
+--- a/src/daemon/cgrulesengd.c
++++ b/src/daemon/cgrulesengd.c
+@@ -886,8 +886,6 @@ int cgre_start_daemon(const char *logp, const int logf,
+ exit(EXIT_SUCCESS);
+ }
+
+- /* Change the file mode mask. */
+- umask(0);
+ } else {
+ flog(LOG_DEBUG, "Not using daemon mode\n");
+ pid = getpid();
diff -Nru libcgroup-0.41/debian/patches/series libcgroup-0.41/debian/patches/series
--- libcgroup-0.41/debian/patches/series 2016-04-24 18:51:45.000000000 +0200
+++ libcgroup-0.41/debian/patches/series 2018-08-19 23:10:45.000000000 +0200
@@ -4,3 +4,4 @@
initscript-return.patch
Syntax-fixes-for-man-pages.patch
pam_cgroup-Revert-broken-cache-usage.patch
+CVE-2018-14348.patch
Reply to: