Your message dated Thu, 30 Mar 2017 19:47:08 +0000 with message-id <e1ctg2g-00012u...@fasolo.debian.org> and subject line Bug#858872: fixed in eject 2.1.5+deb1+cvs20081104-13.1+deb8u1 has caused the Debian Bug report #858872, regarding eject: CVE-2017-6964: dmcrypt-get-device does not check the return values of setuid() or setgid() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 858872: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858872 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: eject Version: 2.1.5+deb1+cvs20081104-13 Severity: grave Tags: patch security Hi, the following vulnerability was published for eject. CVE-2017-6964[0]: | dmcrypt-get-device, as shipped in the eject package of Debian and | Ubuntu, does not check the return value of the (1) setuid or (2) setgid | function, which might cause dmcrypt-get-device to execute code, which | was intended to run as an unprivileged user, as root. This affects | eject through 2.1.5+deb1+cvs20081104-13.1 on Debian, eject before | 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1 on Ubuntu 16.10, eject | before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1 on Ubuntu 16.04 LTS, | eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1 on Ubuntu 14.04 | LTS, and eject before 2.1.5+deb1+cvs20081104-9ubuntu0.1 on Ubuntu 12.04 | LTS. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-6964 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6964 I prepared an update for sid, which I will attack as debdiff here as soon I have the bug number. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: eject Source-Version: 2.1.5+deb1+cvs20081104-13.1+deb8u1 We believe that the bug you reported is fixed in the latest version of eject, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 858...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated eject package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 28 Mar 2017 06:58:03 +0200 Source: eject Binary: eject eject-udeb Architecture: source Version: 2.1.5+deb1+cvs20081104-13.1+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Frank Lichtenheld <dj...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 858872 Description: eject - ejects CDs and operates CD-Changers under Linux eject-udeb - ejects CDs from d-i menu (udeb) Changes: eject (2.1.5+deb1+cvs20081104-13.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-6964: Check the return values when dropping privileges (Closes: #858872) Package-Type: udeb Checksums-Sha1: 721f5bec97aaa0047ac59d4ea58756ac79598208 2264 eject_2.1.5+deb1+cvs20081104-13.1+deb8u1.dsc 02d4ee28eca087d4dada24d31cb3db97de7438f0 120658 eject_2.1.5+deb1+cvs20081104.orig.tar.gz d18466ffcfd954cbe883e89f1b449c5d3355de78 140573 eject_2.1.5+deb1+cvs20081104-13.1+deb8u1.diff.gz Checksums-Sha256: de29507139b05a0d705b7d7432eb231ca29470726b62925db9cdb1091df5e231 2264 eject_2.1.5+deb1+cvs20081104-13.1+deb8u1.dsc f5c457b92d7bfc20924ebdc8515661222b40e036eae6e2fada4220d47884e9c1 120658 eject_2.1.5+deb1+cvs20081104.orig.tar.gz 0085e7a025b27bf4e6585fd297bd245941dbd67c2c30899e3f19833e4d61ad55 140573 eject_2.1.5+deb1+cvs20081104-13.1+deb8u1.diff.gz Files: 4a30de258f017cf5ceac9d9e9fb48a54 2264 utils optional eject_2.1.5+deb1+cvs20081104-13.1+deb8u1.dsc 20c77cab9012d3961243e39b3af87562 120658 utils optional eject_2.1.5+deb1+cvs20081104.orig.tar.gz 11dfa1d2ebfb16d9d7554964e734f706 140573 utils optional eject_2.1.5+deb1+cvs20081104-13.1+deb8u1.diff.gz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAljZ7xVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EzBIP/3JEWC/j6prRgku5ciAjZTWtkVrpRVU4 lXVljXl9LOxEZJyGDghPm7z0dYY2r5RfjnXthAXIRM9dyxhPLgIn7NbKDSb6Htii LmZIPQjJw9plh3zaKLrrp8Ofi2OW7PQExHzUNlNKl/cCgC+/r1CEICR7Zxvs4klF H95GJTygP1uPpoaz3jpOlrC/5Q/NvoS/b9bLEKamtVA4PQ7QPVbZVFT0opofbFGB s6spkvb5A2UIjzf9v/bUNg7nIECatvesiHP49P+q5SzJVSr0IG25qCoQ8Ijuu6rr BwrNyXLoZNzh/XA/pzfhdTrzvFAnJYiajYeS7Zp0wzxYq9rzxev6bjs+394k0NgX G8D+8juWjogJJU8EfT6ekGIWZTCLxQYUpodTrsQtjwat+COmeZBRnhfWG8RJaadM 3BRd9ea1i/iPlIuPdfhoDbopBtYrbeoKJ6XslHVeXeCnPDGM8NIPkh+c/SlJBzcB LR6IAcNQIaPoqiTrozFArRLUkxB90bDtFn4sGstg1YoVaJkP4lV5hMu3kBWHSCJz IevjgWrkaNo35QRqSeFKRDOnpEtQGr3deC4EnirdJ077d0zRWkaokPRBUF8mbeNP Vr59HJfskDLtEPQ6W7AE5ORWU/FRClS49hMYMlhZuNdWDlWu5UQQ4aJpiNY9pYFb 2cXz1cBkzXOL =s9n0 -----END PGP SIGNATURE-----
--- End Message ---
