Package: procps
Version: 2:3.3.9-9+deb8u1
Severity: minor
Control: found -1 2:3.3.12-3+deb9u1
Control: affects -1 + security.debian.org
Control: affects -1 + release.debian.org
For the security update released as DSA-4208-1 we only explicitly
applied the fixes needed for the securiy issues without trying to
touch other parts.
top though changed for CVE-2018-1122 it's behaviour.
CVE-2018-1122
top read its configuration from the current working directory if no
$HOME was configured. If top were started from a directory writable
by the attacker (such as /tmp) this could result in local privilege
escalation.
The documentation reads as:
> If the $HOME variable is not present, top will try to write the
> personal configuration file to the current directory, subject to
> permissions.
This is not anymore the case.
A future update for procps in stable (via point release? e.g. to
apply the further hardening measures and bugfixes?) could hopefully
rectify the documentation as well.
Regards,
Salvatore
