Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file

To: Salvatore Bonaccorso <carnil@debian.org>, 973748@bugs.debian.org, Debian FTP Masters <ftpmaster@ftp-master.debian.org>, dak@security.debian.org
Subject: Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file
From: Norbert Preining <norbert@preining.info>
Date: Thu, 5 Nov 2020 20:26:07 +0900
Message-id: <[🔎] 20201105112607.GA36413@bulldog.preining.info>
Reply-to: Norbert Preining <norbert@preining.info>, 973748@bugs.debian.org
In-reply-to: <E1kacqJ-0003c5-ND@seger.debian.org> <[🔎] 160449433254.22150.933936578574498063.reportbug@lorien.valinor.li>
References: <[🔎] 160449433254.22150.933936578574498063.reportbug@lorien.valinor.li>

Hi Salvatore, hi FTP Master,

@Salvatore: thanks for the NMU preparation. We are now preparing a fix
for unstable via version 0.19, and at the same time I thought I upload
to buster-security, based on your patch,

But, uploading to security-master with dput I got the following answer:

On Thu, 05 Nov 2020, Debian FTP Masters wrote:
> sddm_0.18.0-1+deb10u1.dsc: Does not match file already existing in the pool.

Do you or ftpmaster could explain me what I did wrong?

The included files are
Checksums-Sha1:
 f8d882dbf4cf377fa0c7a4277a56b7f7c25e2a64 2334 sddm_0.18.0-1+deb10u1.dsc
 a33d316b613a52b2af435c3516ed9abac7ea34d5 52864 sddm_0.18.0-1+deb10u1.debian.tar.xz
 5ed47e94dc64af78fe960358b8b009afb840e16a 13613 sddm_0.18.0-1+deb10u1_source.buildinfo
and the upload was a source-only to Distribution: buster-security.

Thanks

Norbert

--
PREINING Norbert                              https://www.preining.info
Accelia Inc. + IFMGA ProGuide + TU Wien + JAIST + TeX Live + Debian Dev
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

Reply to:

Follow-Ups:
- Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Paris 2021 conferene
Next by Date: Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file
Previous by thread: Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file
Next by thread: Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file
Index(es):
- Date
- Thread