Your message dated Mon, 07 Mar 2022 22:04:02 +0000 with message-id <e1nrlsu-000fcz...@fasolo.debian.org> and subject line Bug#1006485: fixed in fscrypt 0.3.3-1 has caused the Debian Bug report #1006485, regarding fscrypt: CVE-2022-25326 CVE-2022-25327 CVE-2022-25328 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1006485: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006485 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: fscrypt Version: 0.3.1-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for fscrypt. CVE-2022-25326[0]: | fscrypt through v0.3.2 creates a world-writable directory by default | when setting up a filesystem, allowing unprivileged users to exhaust | filesystem space. We recommend upgrading to fscrypt 0.3.3 or above and | adjusting the permissions on existing fscrypt metadata directories | where applicable. CVE-2022-25327[1]: | The PAM module for fscrypt doesn't adequately validate fscrypt | metadata files, allowing users to create malicious metadata files that | prevent other users from logging in. A local user can cause a denial | of service by creating a fscrypt metadata file that prevents other | users from logging into the system. We recommend upgrading to version | 0.3.3 or above CVE-2022-25328[2]: | The bash_completion script for fscrypt allows injection of commands | via crafted mountpoint paths, allowing privilege escalation under a | specific set of circumstances. A local user who has control over | mountpoint paths could potentially escalate their privileges if they | create a malicious mountpoint path and if the system administrator | happens to be using the fscrypt bash completion script to complete | mountpoint paths. We recommend upgrading to version 0.3.3 or above The issues do not warrant a DSA, but depending on feasibility it would be good th ave the fixes available as well in bullseye and buster through a point release. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-25326 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25326 [1] https://security-tracker.debian.org/tracker/CVE-2022-25327 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25327 [2] https://security-tracker.debian.org/tracker/CVE-2022-25328 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25328 [3] https://www.openwall.com/lists/oss-security/2022/02/24/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: fscrypt Source-Version: 0.3.3-1 Done: Paride Legovini <par...@debian.org> We believe that the bug you reported is fixed in the latest version of fscrypt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1006...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Paride Legovini <par...@debian.org> (supplier of updated fscrypt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 07 Mar 2022 21:32:01 +0000 Source: fscrypt Architecture: source Version: 0.3.3-1 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org> Changed-By: Paride Legovini <par...@debian.org> Closes: 1006485 Changes: fscrypt (0.3.3-1) unstable; urgency=medium . * New upstream version 0.3.1. Closes: #1006485, tracking: - CVE-2022-25326 - CVE-2022-25327 - CVE-2022-25328 * d/gbp.conf: debian-branch = debian/latest (DEP-14) * d/copyright: update copyright years for debian/* Checksums-Sha1: 7ed14c439caae9e5cce70560a38b66f515a8d161 1972 fscrypt_0.3.3-1.dsc ba40c6bbbf31fae38f0903e9cb9fade644c64031 135152 fscrypt_0.3.3.orig.tar.xz f389222e59ccde6bd82cb5a8760ff58c58ca2731 5440 fscrypt_0.3.3-1.debian.tar.xz cd7847413902105c804ecd90f2bb180b2c33d41e 6785 fscrypt_0.3.3-1_amd64.buildinfo Checksums-Sha256: 9907a4dcbb6ed8ede85df8f6b9fc81cdfb5e4cd8019e22bfd1ffefbabea6103a 1972 fscrypt_0.3.3-1.dsc beec9ed0e03b76dbe82aba743242146a42e2b38df14638e54c49e2abaffc802b 135152 fscrypt_0.3.3.orig.tar.xz 6b064b5c99e928a3e2b932b93e824baa42fa3b31f5528a95e87c4eb74382680e 5440 fscrypt_0.3.3-1.debian.tar.xz 1fa5672a265d66a799c543f5a72c3c07e7bd99d7b24f7480d75f202e63475cc6 6785 fscrypt_0.3.3-1_amd64.buildinfo Files: b3b2d091d63a0e44468ff654756c5448 1972 admin optional fscrypt_0.3.3-1.dsc 8994fee0f4e2af6428d5be32f42f2c4e 135152 admin optional fscrypt_0.3.3.orig.tar.xz 5b1325e5c2e5492cfe85d6befe189df2 5440 admin optional fscrypt_0.3.3-1.debian.tar.xz d70fc10b629b2c5658a54ac39b79d290 6785 admin optional fscrypt_0.3.3-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQFGBAEBCgAwFiEEVhrVhe7XZpIbqN2W1lhhiD4BTbkFAmImfkQSHHBhcmlkZUBk ZWJpYW4ub3JnAAoJENZYYYg+AU25jCQH/1kHLv7keHbF+m2i32jlX0vGQeyuwkHa YFVVXnrrocQfTWEgehAectSm+ZQJ5qqcVwZzbj2yt4VczhwUvhmuFzhJWwrGK9rK A7a420bpKScThvv+IpO4bh5dJ2A5y89lxZm2L0ySb6f5tIGJXFXZsrQ6f2e7omRY TiJUMM5M5+75rrbhScwnko4Mp3TA0EfemLCGc2WDpskYGST0niUc7zE2TH+wyKV9 k09p84QWn/LXzcgQMquBFfeljzR1iE6eOA4JBbx9pYLGpECVtI4FQIgb+AmjKC1W IcYNwFUeS5CitmkNnNFlyWOluTPJNkaOWliOA3dPAy4t2XdJ/Aa56vY= =3JiO -----END PGP SIGNATURE-----
--- End Message ---
