[Secure-testing-team] Bug#871321: tenshi: CVE-2017-11746: should create its PID file before dropping privileges
Salvatore Bonaccorso
carnil at debian.org
Mon Aug 7 15:54:07 UTC 2017
Source: tenshi
Version: 0.13-2
Severity: normal
Tags: upstream patch security
Forwarded: https://github.com/inversepath/tenshi/issues/6
Hi,
the following vulnerability was published for tenshi.
CVE-2017-11746[0]:
| Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a
| non-root account, which might allow local users to kill arbitrary
| processes by leveraging access to this non-root account for tenshi.pid
| modification before a root script executes a "kill `cat
| /pathname/tenshi.pid`" command.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-11746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11746
[1] https://github.com/inversepath/tenshi/issues/6
[2] https://github.com/inversepath/tenshi/commit/d0e7f28c13ffbd5888b31d6532c2faf78f10f176
Regards,
Salvatore
More information about the Secure-testing-team
mailing list