Bug#992748: systemd-cron: postinst error - CVE-2017-9525?
Alexandre Detiste
alexandre.detiste at gmail.com
Wed Sep 8 07:36:32 BST 2021
Hi.
I will fix unstable today but I don't know how to learn again to fix the
old releases in a timely maner between so many things to handle at home and
work.
Forking from old git tags and pasting the same new postinst over ?
So for this part help will be welcome.
Greets,
Le mer. 8 sept. 2021 à 07:21, Martin-Éric Racine <martin-eric.racine at iki.fi>
a écrit :
> su 5. syysk. 2021 klo 18.41 Salvatore Bonaccorso (carnil at debian.org)
> kirjoitti:
> >
> > Control: clone 992748 -1
> > Control: retitle -1 systemd-cron: CVE-2017-9525: group crontab to root
> escalation via postinst
> > Control: severity -1 important
> > Control: found -1 1.5.16-1
> > Control: found -1 1.5.14-2
> > Control: tags 992748 - security
> >
> > Hi Chris,
> >
> > On Sun, Sep 05, 2021 at 02:49:40PM +0200, Chris Hofstaedtler wrote:
> > > Control: tags -1 + security
> > >
> > > * Alexandre Detiste <alexandre.detiste at gmail.com> [210905 12:47]:
> > > > Le lun. 23 août 2021 à 04:57, Martin-Éric Racine
> > > > <martin-eric.racine at iki.fi> a écrit :
> > > > > Setting up systemd-cron (1.5.17-1) ...
> > > > > xargs: warning: options --max-args and --replace/-I/-i are
> mutually exclusive, ignoring previous --max-args value
> > > > > Thanks.
> > > >
> > > > This was copy-pasted from src:cron, which must have the same bug now.
> > >
> > > src:cron removed the offending code as part of a security fix in
> > > 2018:
> > >
> > >
> https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af
> > >
> > > This would suggest CVE-2017-9525 also affects src:systemd-cron.
> >
> > Looks right and confirmed in a quick test. If the attacher has gained
> > crontab group then further escalation is possible.
> >
> > Though technically those two bugs will be resolved at the same step I
> > though to be good to separate the escalation issue and the error in
> > postinst (but as said, they will be fixed basically together).
> >
> > Once fixed in unstable, can you please fix the issue as well via
> > upcoming point releases for bullseye and buster? Similarly as for the
> > src:cron case a DSA is not warranted.
>
> Alexandre,
>
> Do you have time to fix this now? If not, would it be okay for the
> security team to make an NMU for all affected releases?
>
> Martin-Éric
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20210908/63d1ee2d/attachment.htm>
More information about the Pkg-systemd-maintainers
mailing list