[pkg-lxc-devel] Bug#1029121: bullseye-pu: package lxc/4.0.6-2+deb11u2

Mathias Gibbens gibmat at debian.org
Wed Jan 18 03:36:42 GMT 2023 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-lxc-devel at lists.alioth.debian.org, gibmat at debian.org
Control: affects -1 + src:lxc

[ Reason ]
The version of lxc in bullseye is affected by the low-severity
CVE-2022-47952 which was fixed in the recent release of lxc 5.0.2
(uploaded to unstable yesterday). As the fix was trivial to apply to
the version of lxc in bullseye, I think it would be beneficial to
include it in the next point release.

[ Impact ]
Affected versions of lxc suffer a minor information leak which allows a
local user to infer whether any file exists, even within a protected
directory tree.

[ Tests ]
A manual proof-of-concept test is provided in the upstream commit
fixing this issue.

[ Risks ]
There are no changes to any of the logic of lxc; the error messages
which are returned are modified to be identical in every error case,
preventing the information leak.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Backport upstream commit 1b0469530d7a38b8f8990e114b52530d1bf7f3b8,
which fixes CVE-2022-47952. (The line numbers in the diff shifted
slightly, otherwise no changes to the patch.)

[ Other info ]
The source debdiff is attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lxc_4.0.6-2+deb11u2.debdiff
Type: text/x-patch
Size: 4291 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20230118/85fbf192/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20230118/85fbf192/attachment.sig>

More information about the Pkg-lxc-devel mailing list