Bug#907386: stretch-pu: package libcgroup/0.41-8

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#907386: stretch-pu: package libcgroup/0.41-8
From: Markus Koschany <apo@debian.org>
Date: Mon, 27 Aug 2018 12:22:27 +0200
Message-id: <[🔎] 153536534710.14366.10612777122523700730.reportbug@spike>
Reply-to: Markus Koschany <apo@debian.org>, 907386@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

I would like to update libcgroup in Stretch which is affected by
CVE-2018-14348. The security team has marked this issue as no-dsa.

Please find attached the debdiff. See also
https://bugs.debian.org/906308.

Regards,

Markus

diff -Nru libcgroup-0.41/debian/changelog libcgroup-0.41/debian/changelog
--- libcgroup-0.41/debian/changelog	2016-04-24 18:51:45.000000000 +0200
+++ libcgroup-0.41/debian/changelog	2018-08-19 23:10:45.000000000 +0200
@@ -1,3 +1,13 @@
+libcgroup (0.41-8+deb9u1) stretch; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2018-14348:
+    The cgrulesengd daemon in libcgroup creates log files with world readable
+    and writable permissions due to a reset of the file mode creation mask
+    (umask(0)). (Closes: #906308)
+
+ -- Markus Koschany <apo@debian.org>  Sun, 19 Aug 2018 23:10:45 +0200
+
 libcgroup (0.41-8) unstable; urgency=medium
 
   * Drop package libcgroup-dbg in favor of automatic dbgsym packages.
diff -Nru libcgroup-0.41/debian/patches/CVE-2018-14348.patch libcgroup-0.41/debian/patches/CVE-2018-14348.patch
--- libcgroup-0.41/debian/patches/CVE-2018-14348.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcgroup-0.41/debian/patches/CVE-2018-14348.patch	2018-08-19 23:10:45.000000000 +0200
@@ -0,0 +1,23 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 19 Aug 2018 23:09:25 +0200
+Subject: CVE-2018-14348
+
+Bug-Debian: https://bugs.debian.org/906308
+Origin: https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590/
+---
+ src/daemon/cgrulesengd.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
+index 367b898..ffd1fc3 100644
+--- a/src/daemon/cgrulesengd.c
++++ b/src/daemon/cgrulesengd.c
+@@ -886,8 +886,6 @@ int cgre_start_daemon(const char *logp, const int logf,
+ 			exit(EXIT_SUCCESS);
+ 		}
+ 
+-		/* Change the file mode mask. */
+-		umask(0);
+ 	} else {
+ 		flog(LOG_DEBUG, "Not using daemon mode\n");
+ 		pid = getpid();
diff -Nru libcgroup-0.41/debian/patches/series libcgroup-0.41/debian/patches/series
--- libcgroup-0.41/debian/patches/series	2016-04-24 18:51:45.000000000 +0200
+++ libcgroup-0.41/debian/patches/series	2018-08-19 23:10:45.000000000 +0200
@@ -4,3 +4,4 @@
 initscript-return.patch
 Syntax-fixes-for-man-pages.patch
 pam_cgroup-Revert-broken-cache-usage.patch
+CVE-2018-14348.patch

Reply to:

Prev by Date: Re-evaluating architecture inclusion in unstable/experimental
Next by Date: Re: MariaDB 10.0.36 oldstable update
Previous by thread: Re-evaluating architecture inclusion in unstable/experimental
Next by thread: Bug#904777: transition: libraw
Index(es):
- Date
- Thread