Hi Guillem, Nice to read from you.
On Thu, Aug 17, 2023 at 01:19:34AM +0200, Guillem Jover wrote: > Hi! > > On Mon, 2023-08-14 at 20:42:10 +0200, Salvatore Bonaccorso wrote: > > Source: inetutils > > Version: 2:2.4-2 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > The following vulnerability was published for inetutils. > > > > CVE-2023-40303[0]: > > | GNU inetutils through 2.4 may allow privilege escalation because of > > | unchecked return values of set*id() family functions in ftpd, rcp, > > | rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the > > | setuid system call fails when a process is trying to drop privileges > > | before letting an ordinary user control the activities of the > > | process. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > Thanks! I had seen this in the upstream mailing list but did not think > it was much of an issue for ftpd. But I've now cherry picked the patch > locally, and included it as part of the next Debian package revision, > which I need to polish a bit but will be uploading in a couple of days > at most. Ack, it is not super urgent I think, and note for bookworm and bullseye we marked it as no-dsa. So while no DSA needed, if you have time as well for the lower suites a fix might go into the upcoming next point releases. Regards, Salvatore
