Your message dated Tue, 28 Mar 2017 04:48:47 +0000 with message-id <e1csj3n-000dce...@fasolo.debian.org> and subject line Bug#858872: fixed in eject 2.1.5+deb1+cvs20081104-13.2 has caused the Debian Bug report #858872, regarding eject: CVE-2017-6964: dmcrypt-get-device does not check the return values of setuid() or setgid() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 858872: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858872 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: eject Version: 2.1.5+deb1+cvs20081104-13 Severity: grave Tags: patch security Hi, the following vulnerability was published for eject. CVE-2017-6964[0]: | dmcrypt-get-device, as shipped in the eject package of Debian and | Ubuntu, does not check the return value of the (1) setuid or (2) setgid | function, which might cause dmcrypt-get-device to execute code, which | was intended to run as an unprivileged user, as root. This affects | eject through 2.1.5+deb1+cvs20081104-13.1 on Debian, eject before | 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1 on Ubuntu 16.10, eject | before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1 on Ubuntu 16.04 LTS, | eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1 on Ubuntu 14.04 | LTS, and eject before 2.1.5+deb1+cvs20081104-9ubuntu0.1 on Ubuntu 12.04 | LTS. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-6964 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6964 I prepared an update for sid, which I will attack as debdiff here as soon I have the bug number. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: eject Source-Version: 2.1.5+deb1+cvs20081104-13.2 We believe that the bug you reported is fixed in the latest version of eject, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 858...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated eject package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 28 Mar 2017 06:22:15 +0200 Source: eject Binary: eject eject-udeb Architecture: source Version: 2.1.5+deb1+cvs20081104-13.2 Distribution: unstable Urgency: high Maintainer: Frank Lichtenheld <dj...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 858872 Description: eject - ejects CDs and operates CD-Changers under Linux eject-udeb - ejects CDs from d-i menu (udeb) Changes: eject (2.1.5+deb1+cvs20081104-13.2) unstable; urgency=high . * Non-maintainer upload. * CVE-2017-6964: Check the return values when dropping privileges (Closes: #858872) Package-Type: udeb Checksums-Sha1: fa67abbb1b80373788f7f9c12fa59b605f6214d0 2236 eject_2.1.5+deb1+cvs20081104-13.2.dsc 1f800c4ce68c31afc025960ab5a694e732d85df6 140465 eject_2.1.5+deb1+cvs20081104-13.2.diff.gz Checksums-Sha256: e48be81468b2b97a9bfa5e308d29f780e5a50ef9bc672142e3302fd98e40066f 2236 eject_2.1.5+deb1+cvs20081104-13.2.dsc 22451a0479d9aeec204af73477df2963714551d86376d02758b57bdb1eadf4e8 140465 eject_2.1.5+deb1+cvs20081104-13.2.diff.gz Files: ed78e5069a0b4285684cd20fcd0030bd 2236 utils optional eject_2.1.5+deb1+cvs20081104-13.2.dsc 9a93b86cbad5dfdd424bd2875bcf2cda 140465 utils optional eject_2.1.5+deb1+cvs20081104-13.2.diff.gz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAljZ6lBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EcNMP/1E9BL+KDciWF3uqoXD3zSrPafc8prgk gTnxflNmRNIF4ON8AYXyIqZM/cibJPz2Fz6FZahvnJzzclO5RUkA+AhJekl+vnwa dr0m/2rU363E2zuEBmyusJyNFXgBgaw/l/W2r308Pmpg6DvBDcjs+MryPjTlrGdd RrEGfw6CakKFVcURzDiFwbPTRUcJv790e8II99/bPLfSbxM5rkRaYoq012JnEO3s LCR7qeOINB6q1Sl1/9/8rPxz9h8ZsWWA+XXNYcuNK4pLrEUD4k5tcDciqaiszu6a Nf9/z6itn5h6T+HsHziTBBo/uCxW1T2/XqqI9OI9cqUvYqy7Yts9lAp1yOAvcxHz 9LHDMdhf67T2PRirxQTVl4RI5GdqAARtmbnugY2Taax0FkN3kSzO+oPGdzJ0IwEO c8AyHKqpaZoEF6N2jBGyjlUkBv0V/mqnbR2hMCNzJIv3RLqavfjwrcjAuBz+w4ar S0dnC/oyyxjm6UEYKEVs6iGUHJKQWTA3MUHEo0GY4AYW75QV0oMOgLwdy+pJh2VG RiNKaiXbTG3I74alR+1esM+u3C4OK4OhUDCq/c2Nh5yNVJbcRyKiokFg0VRvPG1w siMHfY7cLzC5WVVkttiw+zq3+TCVXRzcxWYLw1ocUsCR+c8EM4XmIUiiVtceTiha dvcbeYwlhVPk =J/iW -----END PGP SIGNATURE-----
--- End Message ---
