Bug#912007: systemd: CVE-2018-15687: chown_one() can dereference symlinks
Salvatore Bonaccorso
carnil at debian.org
Sat Oct 27 08:53:44 BST 2018
Source: systemd
Version: 239-10
Severity: important
Tags: security upstream
Forwarded: https://github.com/systemd/systemd/pull/10517
Hi,
The following vulnerability was published for systemd.
CVE-2018-15687[0]:
| A race condition in chown_one() of systemd allows an attacker to cause
| systemd to set arbitrary permissions on arbitrary files. Affected
| releases are systemd versions up to and including 239.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-15687
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15687
[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1689
[2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796692
[3] https://github.com/systemd/systemd/pull/10517
Please adjust the affected versions in the BTS as needed, stretch
should be unaffected as the vulnerable feature/code was introduced
later, but plese confirm if possible.
Regards,
Salvatore
More information about the Pkg-systemd-maintainers
mailing list