Debian Security Advisory
DSA-2984-1 acpi-support -- security update
- Date Reported:
- 22 Jul 2014
- Affected Packages:
- acpi-support
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-1419.
- More information:
-
CESG discovered a root escalation flaw in the acpi-support package. An unprivileged user can inject the DBUS_SESSION_BUS_ADDRESS environment variable to run arbitrary commands as root user via the policy-funcs script.
For the stable distribution (wheezy), this problem has been fixed in version 0.140-5+deb7u1.
For the testing distribution (jessie), this problem has been fixed in version 0.142-2.
For the unstable distribution (sid), this problem has been fixed in version 0.142-2.
We recommend that you upgrade your acpi-support packages.