1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 4208-1] procps security update

    From Salvatore Bonaccorso@1:229/2 to All on Tue May 22 17:50:01 2018
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-4208-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso
    May 22, 2018 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : procps
    CVE ID : CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125
    CVE-2018-1126
    Debian Bug : 899170

    The Qualys Research Labs discovered multiple vulnerabilities in procps,
    a set of command line and full screen utilities for browsing procfs. The
    Common Vulnerabilities and Exposures project identifies the following
    problems:

    CVE-2018-1122

    top read its configuration from the current working directory if no
    $HOME was configured. If top were started from a directory writable
    by the attacker (such as /tmp) this could result in local privilege
    escalation.

    CVE-2018-1123

    Denial of service against the ps invocation of another user.

    CVE-2018-1124

    An integer overflow in the file2strvec() function of libprocps could
    result in local privilege escalation.

    CVE-2018-1125

    A stack-based buffer overflow in pgrep could result in denial
    of service for a user using pgrep for inspecting a specially
    crafted process.

    CVE-2018-1126

    Incorrect integer size parameters used in wrappers for standard C
    allocators could cause integer truncation and lead to integer
    overflow issues.

    For the oldstable distribution (jessie), these problems have been fixed
    in version 2:3.3.9-9+deb8u1.

    For the stable distribution (stretch), these problems have been fixed in version 2:3.3.12-3+deb9u1.

    We recommend that you upgrade your procps packages.

    For the detailed security status of procps please refer to its security
    tracker page at: https://security-tracker.debian.org/tracker/procps

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsEOvJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QQLA//cysJZC9QFcw9FipzNT3qTGvvGXI08EzA25AhNAkvRmP/QTfJe/xh+nKG pLFxy54BYCJfRP/mpVZXlr3i1/i5594xWoofDcvrVyhT+l2IoIXs4XhLlUalr6/+ MabPCEq2CBZ3gfJN6y6KILh/KYT4mAeMqXwqO6IcmnL2AkXI5CR4cwjaFyabheHn VrO0geWUA9YyUOrrEaBS4LJUxs1LXCMNVD3qLRNCn063lMj3U4XXWsFbtZCmCVgZ NMgiOm92gfTlwDRYXby7l4aWDvK5cuPhp+q7k6bepaUIElr5ijbtME7Xeqf/4peU r1Rawz3DcxSwag6WBsaQD1aeWoMY65BP366ghIsrfO28qZkeW4SPbe1iUaiZHBGd lmMYRkYEeJiOYvsd0XUms53pzym3AsF1IsNzzS9LgFYZvEp9DsO4M57e4UllYXiS gCEAwJsWYOeaggN07OfhV6qRrggdiBN1fPUEgiQ30IahzCg6NCDaIgLJ7OauHPBS xxN07Y+KnQ8oaPH3Lex1qzqKEeyUn9CV76nWbaWRtJwCyRmC3/SD5wJp94OUuAVE LyHstcL7QrfodcZ/Ff7++Q/zEhUo8IeCtA0kspXyzemN2dE80CBERB4T+5hi0oRi EHncQMzJ7J6DelBpUBS13TyXHrW1mVqtdtulwiWAwsScHXBY/Zo=
    =9bCU
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)