Hi! On Mon, 2023-08-14 at 20:42:10 +0200, Salvatore Bonaccorso wrote: > Source: inetutils > Version: 2:2.4-2 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org>
> The following vulnerability was published for inetutils. > > CVE-2023-40303[0]: > | GNU inetutils through 2.4 may allow privilege escalation because of > | unchecked return values of set*id() family functions in ftpd, rcp, > | rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the > | setuid system call fails when a process is trying to drop privileges > | before letting an ordinary user control the activities of the > | process. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Thanks! I had seen this in the upstream mailing list but did not think it was much of an issue for ftpd. But I've now cherry picked the patch locally, and included it as part of the next Debian package revision, which I need to polish a bit but will be uploading in a couple of days at most. > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-40303 > https://www.cve.org/CVERecord?id=CVE-2023-40303 > [1] > https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 > [2] https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html > > Please adjust the affected versions in the BTS as needed. Right, I think this affects pretty much all inetutils versions from a quick «git log -p», but will double check to make sure. Thanks, Guillem
