Just don't read that Ubuntu only shit, but common one



It is patched in Debian also:

To clarify, we never shipped a binary built from util-linux source of eject. The source has always shipped in the util-linux source package since util-linux grew an implementation of eject.

Debian never ever shipped eject from util-linux, so it was never "removed".

If you prefer the util-linux implementation (which is just one of very many eject implementations being used in the wild) then feel free to post patches for transitioning over to that one in Debian.

That's atleast part of the answer.

Not until someone does the actual work. Patches welcome.
(This involves both the old eject package, the util-linux packages and the debian-installer because of eject-udeb which maybe should just be replaced by applets from busybox.)

Not quite true. The vulnerability was in the "dmcrypt-get-device" utility. That tool has been bundled into the eject package but doesn't come in the upstream sources for the package. It's true that this happened in the Debian package (which was imported to ubuntu), but where did this tool come from? Read the sources and you'll find out.... (spoiler alert: Canonical).

Greetings from your Debian util-linux maintainer. Looking forward to reviewing your patches to deprecate the eject source/package!

Does that mean debian and ubuntu have been removing eject support from util-linux for 4+ years now ?

The CVE doesn't list Debian as being affected.

The answer is pretty simple: the standalone package predates integration of the utility into util-linux. I believe Debian is now dropping it in favour of the util-linux version.

The package in question is not "written at ubuntu" it's imported directly unmodified from Debian. At least, until the patch was added that fixes this bug. The story should actually read "Ubuntu patches a security hole in a Debian package it's redistributing" since anything else is an untruth.

The real question is why they are using the standalone eject package instead of the one maintained inside util-linux.

Agreed. It always amazes me how hackers find the most crazy ways of hacking into something. It takes a lot of creative thinking to figure out this kind of stuff. On the other hand - this is one of the only disadvantages to open-source software: a malicious attacker can spend the time analyzing code for security flaws and get away with performing the attack, at least for a little while. Since apparently security flaws can be found in the most innocent places (such as "eject"), no white-hat hacker is going to go around looking at every binary in the hopes of finding something exploitable. This is even assuming they're creative enough to figure it out in the first place. For black-hats, it's a different story - they tend to have a specific target, so they only need to analyze a narrow scope of potential weaknesses.

Because a platform that never reports finding bugs is more safe than one that finds and reports them. /s