thr3ads.net - Secure testing team - [Secure-testing-team] Bug#551073: CVE-2009-3564: does not reset supplementary groups when it switches to a different user [Oct 2009]

If this information is useful, please help other people find it:
Share via:

Giuseppe Iuculano

2009-Oct-15 12:46 UTC

[Secure-testing-team] Bug#551073: CVE-2009-3564: does not reset supplementary groups when it switches to a different user

Package: puppet
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for puppet.

CVE-2009-3564[0]:
| puppetmasterd in puppet 0.24.6 does not reset supplementary groups
| when it switches to a different user, which might allow local users to
| access restricted files.

Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.

However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3564
    http://security-tracker.debian.net/tracker/CVE-2009-3564
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrXGagACgkQNxpp46476apSHQCfcHeDYnvadCKBV5CkSyN0ViN7
r5IAn02E4bwIzgT6TlZNQuHNJnfQH3D4
=hbrZ
-----END PGP SIGNATURE-----

Secure testing team - Oct 2009 - Bug#551073: CVE-2009-3564: does not reset supplementary groups when it switches to a different user

[Secure-testing-team] Bug#551073: CVE-2009-3564: does not reset supplementary groups when it switches to a different user