Originally posted by Util-linux 2.22 Release Notes {Sep 4, 2012}
Announcement
Collapse
No announcement yet.
Ubuntu Hit By A Vulnerability In "Eject"
Collapse
X
-
Originally posted by bregma View PostThe answer is pretty simple: the standalone package predates integration of the utility into util-linux.
Originally posted by bregma View PostI believe Debian is now dropping it in favour of the util-linux version.
(This involves both the old eject package, the util-linux packages and the debian-installer because of eject-udeb which maybe should just be replaced by applets from busybox.)
Originally posted by bregma View PostThe package in question is not "written at ubuntu" it's imported directly unmodified from Debian. At least, until the patch was added that fixes this bug. The story should actually read "Ubuntu patches a security hole in a Debian package it's redistributing" since anything else is an untruth.
Greetings from your Debian util-linux maintainer. Looking forward to reviewing your patches to deprecate the eject source/package!
- Likes 4
Comment
-
Originally posted by LoneVVolf View PostDoes that mean debian and ubuntu have been removing eject support from util-linux for 4+ years now ?
If you prefer the util-linux implementation (which is just one of very many eject implementations being used in the wild) then feel free to post patches for transitioning over to that one in Debian.
- Likes 3
Comment
-
Originally posted by monraaf View Post
Debian never ever shipped eject from util-linux, so it was never "removed".
- Likes 2
Comment
-
Originally posted by TheBlackCat View PostThe CVE doesn't list Debian as being affected.
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
It is patched in Debian also:
Comment
-
Originally posted by M@yeulC View PostGood report there: https://bugs.launchpad.net/ubuntu/+s...t/+bug/1673627
Doesn't look too bad, in my limited understanding. Unless there is a way to deliberately make the setuid and setgid calls fail? Anyone? I would be curious.
"Note: there are cases where setuid() can fail even when the caller is UID 0; it is a grave security error to omit checking for a failure return from setuid(). if an environment limits the number of processes a user can have, setuid() might fail if the target uid already is at the limit."
- Likes 1
Comment
-
Originally posted by dh04000 View Post
Because a platform that never reports finding bugs is more safe than one that finds and reports them. /s
Comment
-
Originally posted by schmidtbag View Postthis is one of the only disadvantages to open-source software: a malicious attacker can spend the time analyzing code for security flaws and get away with performing the attack, at least for a little while.
this is why stable and development branches are separate, to let stable versions to maturate their guarantee
with closed source you can never be sure
Comment
-
Originally posted by bellamyb View Post
From a similar bug report for GlusterFS (http://lists.gluster.org/pipermail/b...st/032052.html)
"Note: there are cases where setuid() can fail even when the caller is UID 0; it is a grave security error to omit checking for a failure return from setuid(). if an environment limits the number of processes a user can have, setuid() might fail if the target uid already is at the limit."
Comment
Comment