Debian Security Advisory
DSA-2362-1 acpid -- several vulnerabilities
- Date Reported:
- 10 Dec 2011
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2011-1159, CVE-2011-2777, CVE-2011-4578.
- More information:
Multiple vulnerabilities were found in the ACPI Daemon, the Advanced Configuration and Power Interface event daemon:
Vasiliy Kulikov of OpenWall discovered that the socket handling is vulnerable to denial of service.
Oliver-Tobias Ripka discovered that incorrect process handling in the Debian-specific powerbtn.sh script could lead to local privilege escalation. This issue doesn't affect oldstable. The script is only shipped as an example in /usr/share/doc/acpid/examples. See /usr/share/doc/acpid/README.Debian for details.
Helmut Grohne and Michael Biebl discovered that acpid sets a umask of 0 when executing scripts, which could result in local privilege escalation.
For the oldstable distribution (lenny), this problem has been fixed in version 1.0.8-1lenny4.
For the stable distribution (squeeze), this problem has been fixed in version 1:2.0.7-1squeeze3.
For the unstable distribution (sid), this problem will be fixed soon.
We recommend that you upgrade your acpid packages.