Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#52743 - [s-nail] Local root 0-day
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Friday, 27 January 2017, 23:18 GMT
Last edited by Gaetan Bisson (vesath) - Saturday, 28 January 2017, 00:21 GMT
Opened by Pascal Ernster (hardfalcon) - Friday, 27 January 2017, 23:18 GMT
Last edited by Gaetan Bisson (vesath) - Saturday, 28 January 2017, 00:21 GMT
|
DetailsUsually I wouldn't open a bug report for an outdated package, but as this is a security vulnerability for local root with a working exploit in the wild, I decided to make an exception.
There's a working local root exploit for s-nail (which is in [core] and installed by default, and the CVE request explicitly names Archlinux and claims that this was fixed by upstream today: http://www.openwall.com/lists/oss-security/2017/01/27/7 https://www.sdaoden.eu/code-nail-ann.html |
This task depends upon
Closed by Gaetan Bisson (vesath)
Saturday, 28 January 2017, 00:21 GMT
Reason for closing: Not a bug
Additional comments about closing: I'm not moving stuff to [core] without signoffs.
Saturday, 28 January 2017, 00:21 GMT
Reason for closing: Not a bug
Additional comments about closing: I'm not moving stuff to [core] without signoffs.
Comment by Gaetan Bisson (vesath) -
Saturday, 28 January 2017, 00:20 GMT
Feel free to help by signing-off on s-nail-14.8.16-1 in [testing].