Debian Security Advisory

DSA-2362-1 acpid -- several vulnerabilities

Date Reported:
10 Dec 2011
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2011-1159, CVE-2011-2777, CVE-2011-4578.
More information:

Multiple vulnerabilities were found in the ACPI Daemon, the Advanced Configuration and Power Interface event daemon:

  • CVE-2011-1159

    Vasiliy Kulikov of OpenWall discovered that the socket handling is vulnerable to denial of service.

  • CVE-2011-2777

    Oliver-Tobias Ripka discovered that incorrect process handling in the Debian-specific script could lead to local privilege escalation. This issue doesn't affect oldstable. The script is only shipped as an example in /usr/share/doc/acpid/examples. See /usr/share/doc/acpid/README.Debian for details.

  • CVE-2011-4578

    Helmut Grohne and Michael Biebl discovered that acpid sets a umask of 0 when executing scripts, which could result in local privilege escalation.

For the oldstable distribution (lenny), this problem has been fixed in version 1.0.8-1lenny4.

For the stable distribution (squeeze), this problem has been fixed in version 1:2.0.7-1squeeze3.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your acpid packages.