Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Hi Thomas,
On Wed, Dec 14, 2022 at 11:52:16AM +0100, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> Hi,
>
> I have prepared an update for Ceph in Bullseye to address
> CVE-2022-3650 (ie: ceph to root privilege escalation).
> The security team already told me that there will be no DSA.
>
> [ Reason ]
> (Explain what the reason for the (old-)stable update is. I.e.
> what is the bug, when was it introduced, is this a regression
> with respect to the previous (old-)stable.)
>
> [ Impact ]
> Anyone logged as Ceph can become root whenever there's a disk
> event without the attached patch.
>
> [ Tests ]
> Upstream runs functional test suite, and I trust it.
>
> [ Risks ]
> The code is quite trivial and easy to backport (python code).
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
> The Python code checks input better and avoid privilege escalation.
> See attached debdiff, it's quite readable.
>
> Cheers,
>
> Thomas Goirand (zigo)
> diff -Nru ceph-14.2.21/debian/changelog ceph-14.2.21/debian/changelog
> --- ceph-14.2.21/debian/changelog 2021-05-27 12:04:21.000000000 +0200
> +++ ceph-14.2.21/debian/changelog 2022-11-30 14:20:19.000000000 +0100
> @@ -1,3 +1,10 @@
> +ceph (14.2.21-1+deb11u1) bullseye-security; urgency=medium
> +
> + * CVE-2022-3650: privilege escalation from the ceph user to root. Applied
> + upstream patches (Closes: #1024932).
For the upload via bullseye-pu the target distribution needs to be
changed as well to 'bullseye'.
Regards,
Salvatore
Reply to: