Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: opu
Fix CVE-2008-1845. History: I prepared a package with the fix backported and sent it to the security team. I was told that it is not severe enough to warrant a DSA. I responded that I agree but it should still be updated. Now I see on the QA page that I "should fix it". This is why I dug out the old .dsc (debdiff attached) and now would like to request that someone upload this (I'm only a DM, not a DD). -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.18-6-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/mksh
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 diff -Nru /tmp/kByzvWMkp5/mksh-28.0/debian/changelog /tmp/ptjKC8eoqk/mksh-28.0/debian/changelog - --- /tmp/kByzvWMkp5/mksh-28.0/debian/changelog 2009-10-07 18:08:16.000000000 +0200 +++ /tmp/ptjKC8eoqk/mksh-28.0/debian/changelog 2009-10-07 18:08:17.000000000 +0200 @@ -1,3 +1,10 @@ +mksh (28.0-3) unstable; urgency=high + + * Fix CVE-2008-1845 (unauthenticated local privilege escalation) + using upstream-provided diff + + -- Thorsten Glaser <t...@mirbsd.de> Thu, 17 Apr 2008 21:55:05 +0000 + mksh (28.0-2) unstable; urgency=low * Fix unaligned memory access on IA-64 (same fix was applied diff -Nru /tmp/kByzvWMkp5/mksh-28.0/misc.c /tmp/ptjKC8eoqk/mksh-28.0/misc.c - --- /tmp/kByzvWMkp5/mksh-28.0/misc.c 2006-08-24 22:33:16.000000000 +0200 +++ /tmp/ptjKC8eoqk/mksh-28.0/misc.c 2009-10-07 18:08:17.000000000 +0200 @@ -1437,6 +1437,8 @@ return "setsid"; if (ioctl(fd, TIOCSCTTY, NULL) == -1) return "ioctl"; + if (tcflush(fd, TCIOFLUSH)) + return "tcflush"; dup2(fd, 0); dup2(fd, 1); dup2(fd, 2); -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MirBSD) iQIVAwUBSsy9NXa1NLLpkAfgAQPcbA/9ENGDIXCGgWJK/jGPrms2E78U42TdYOf3 rXf4c4vQAF7b9vJ4RVKn0s99aqPQcoeFGrsYLfzh9f8lLICPw9mXtWI6L5Va4HrI pLfrLGpEDdfDd1cBFr5yxJPgiqwZk3DjWtmasQIjEgqAXKAL0hARlBEvyl7r2jOS wCv8gfTevqpu7re1WQybnB5Sl6x2WNrZeyKLVQmBliChl+7o4GSZz2YuM0CEOQJr 6kV8ExS8lGdu5RziNuzzpvmEExjbXaIyyPYS3shzKaVSjjxQgcLvijc7A113sQtz btSQ63Dg3dzPW5cRsBbo50+sEwQt3LKPQFID4DonbnJPh/5wgieraY7d3xLv+mfs fQWbpY/tiRn7C6cujJHk+Qwuo7c0V3W0DGqPZJaL6Ohp5nnD+sNiJCY4fvflZPYB CGvU/ntmTRVIVCvVxGt1Kdv8oqUPgPzwpD3/2VNcVl82WDLsTahsxi/5vb9TX8vU cEDoTUT8JbMBH3sVeYI6qz9po7XUwvtpdzNNdMa5b/J3o7Vrpa4dshWO3BT7Wzff zqe2ep3kuE6ZANDbxo518Ru+QInecN9Kabl7UaBqb34paDJdB/MV9Oclx6PgSqKP 4EbpgoLAq0NKz5/0Cbj0xs1fXaYsoxOR/5GEOx2LyJmKhFvcm6OYd5Mm0z2/3fUc iWuIulr4c5o= =vXmH -----END PGP SIGNATURE-----