Headline
CVE-2022-2787: [SECURITY] [DSA 5213-1] schroot security update
Schroot before 1.6.13 had too permissive rules on chroot or session names, allowing a denial of service on the schroot service for all users that may start a schroot session.
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]
- To: [email protected]
- Subject: [SECURITY] [DSA 5213-1] schroot security update
- From: Salvatore Bonaccorso <[email protected]>
- Date: Thu, 18 Aug 2022 11:57:49 +0000
- Message-id: <[🔎] [email protected]>
- Reply-to: [email protected]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Debian Security Advisory DSA-5213-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso August 18, 2022 https://www.debian.org/security/faq
Package : schroot CVE ID : CVE-2022-2787
Julian Gilbey discovered that schroot, a tool allowing users to execute commands in a chroot environment, had too permissive rules on chroot or session names, allowing a denial of service on the schroot service for all users that may start a schroot session.
Note that existing chroots and sessions are checked during upgrade, and an upgrade is aborted if any future invalid name is detected.
Problematic session and chroots can be checked before upgrading with the following command:
schroot --list --all | LC_ALL=C grep -vE ‘^[a-z]+:[a-zA-Z0-9][a-zA-Z0-9_.-]*$’
See
https://codeberg.org/shelter/reschroot/src/tag/release/reschroot-1.6.13/NEWS#L10-L41\
for instructions on how to resolve such a situation.
For the stable distribution (bullseye), this problem has been fixed in version 1.6.10-12+deb11u1.
We recommend that you upgrade your schroot packages.
For the detailed security status of schroot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/schroot
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: [email protected] -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmL+KGJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QPdw/7BxDIMRgoa6zm6iTUvN/hcaim3Z1SJ/ZQhAaKtdU1RtqqlOz/BcQiovrZ 6xfl+Ss8kWQRjuqmR2G30tnLY2nW992vNw5PhQl/mlC4NHkFZIySPNQioAuesiF1 jp0iAvTwDGyHsrZmRdPIP3qB+PwycKnK57dq5FZizS9UNs7VYMLFDwXRk0XmhtwV F1U8JxX57cfPtxFspoIWEGBa8yuD4IWR/UDzd/taWd4LspB1K2gyEfN2uacvGGwl UGu2/hjAGOQwIlSvRHpuYlgb4FZCM7v2hQNeb0okIOQb+Id0g1kqxVuAdP03GrTp s/5B+cUh9IFG2fEccOgB5YUz5T5p9NUD2CgccCa3GjXrsDg8qpig5RCVC5KShvYF 9JHcl6l09LQVZdVtGpJKVIpCyrGjLEKUpwsHZPbDs3/r4UkL8Hj7H4Us4d1dN1bB vtjaxPJ2uCzlEXhc6bzTV6dLLUj0qmO8pxAIoOce9MI3GVIUTMPr7RnRYMewN4Re ++mJRLSEQNOpcg9YOfLh5eVr/RB21ZuqI+9/N0OzJ9oHvnSyuegKzCzJV6EsTsjF vKnpy7Pb6agPb+M3GW7TfWuftvNbtnmsyM942OgeqYl/jvK0lvRaNLyJIi/FYry0 t3mmo/QsdgBVua4yfIragbUwBk3mcAnMvhivOJFJoBSrigfUErg= =Gh4e -----END PGP SIGNATURE-----
Reply to:
Salvatore Bonaccorso (on-list)
Salvatore Bonaccorso (off-list)
Prev by Date: [SECURITY] [DSA 5212-1] chromium security update
Next by Date: [SECURITY] [DSA 5214-1] kicad security update
Previous by thread: [SECURITY] [DSA 5212-1] chromium security update
Next by thread: [SECURITY] [DSA 5214-1] kicad security update
Index(es):
- Date
- Thread
Related news
Ubuntu Security Notice 5584-1 - It was discovered that Schroot incorrectly handled certain Schroot names. An attacker could possibly use this issue to break schroot's internal state causing a denial of service.