[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 4134-1] util-linux security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4134-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 10, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : util-linux
CVE ID         : CVE-2018-7738
Debian Bug     : 892179

Bjorn Bosselmann discovered that the umount bash completion from
util-linux does not properly handle embedded shell commands in a
mountpoint name. An attacker with rights to mount filesystems can take
advantage of this flaw for privilege escalation if a user (in particular
root) is tricked into using the umount completion while a specially
crafted mount is present.

For the stable distribution (stretch), this problem has been fixed in
version 2.29.2-1+deb9u1.

We recommend that you upgrade your util-linux packages.

For the detailed security status of util-linux please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/util-linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqkUlhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SBvw//Y+r6WIIllVv5g4A4Oi+2x0jsJ4zlFek1Qbsx0RTXdWTKd7si3GjNnEN3
brn0Ml7GVgPY096nId0lwXQ4DhIVxy22KD9UU3UJSfJ4raK5P/auwSe+Xv9zzYAp
NuArtByKca08wInZTxTT2ZkpGcc4mlC+L66ZKtTfQ0SsaPpZLs3tRc2KHjRhxtbM
WGkNFfxLsAzp4p1UEQrYL9Zo02ka4GerSQrmbVfPZ44Ku99ZrRwsz458Wk4PjOSR
DB8z7txkO16xX4iF7Er+eq1OaKEeVXUu1a3pCXdglWWWQAlegP9f+dPUVuviDJWV
XEoCAK0BNtrtitMiV1a1FjvLp0ABfJmqa+26GYUvWGj2YCRd6lee7MgWfb+Hc+6G
NxcDNDEIdPN5G94oOh29R3dJ6bST+Boi0eYd7Znuj4sIiU7nhbgYVUTd4dGR1WWM
EAsKO4xrHQ5ucmhrb+F28E2N/c81FDeHzgdnOJnwKlCYW2dN2PIW65o6pENE6sQU
aqo+SmdplPQFOha9BAprfKiZ+VIBOVL741RB6wr0i7gnIBH5eCp00XB4Q4l7dLzu
Yg8jWPHPUVJ9m7caJwAj54EnfiKnjvboLVjETbdH99VI0SuaylxE4uzhPhZIob6I
oess20eJQ1EhkjuVQ3cEg6coLeaYPgLIxDsYI8/1YrQpk8KYAbE=
=ne8E
-----END PGP SIGNATURE-----


Reply to: