PublicDateAtUSN: 2019-02-04
Candidate: CVE-2019-3461
PublicDate: 2019-02-04 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3461
 https://ubuntu.com/security/notices/USN-4077-1
Description:
 Debian tmpreaper version 1.6.13+nmu1 has a race condition when doing a
 (bind) mount via rename() which could result in local privilege escalation.
 Mounting via rename() could potentially lead to a file being placed
 elsewhereon the filesystem hierarchy (e.g. /etc/cron.d/) if the directory
 being cleaned up was on the same physical filesystem. Fixed versions
 include 1.6.13+nmu1+deb9u1 and 1.6.14.
Ubuntu-Description:
Notes:
 ebarretto> Version on trusty needs the fix, but the fix depends on bind mounts
 ebarretto> from util-linux package. And the util-linux in trusty doesn't
 ebarretto> contain that feature. We could use another solution but I am not
 ebarretto> sure how this might affect the race condition.
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.0 HIGH]


Patches_tmpreaper:
upstream_tmpreaper: released (1.6.14)
precise/esm_tmpreaper: DNE
trusty_tmpreaper: ignored (out of standard support)
trusty/esm_tmpreaper: needed
xenial_tmpreaper: released (1.6.13+nmu1+deb9u1build0.16.04.1)
bionic_tmpreaper: released (1.6.13+nmu1+deb9u1build0.18.04.1)
cosmic_tmpreaper: ignored (reached end-of-life)
disco_tmpreaper: not-affected (1.6.14)
eoan_tmpreaper: not-affected (1.6.14)
focal_tmpreaper: not-affected (1.6.14)
groovy_tmpreaper: not-affected (1.6.14)
hirsute_tmpreaper: not-affected (1.6.14)
impish_tmpreaper: not-affected (1.6.14)
jammy_tmpreaper: not-affected (1.6.14)
devel_tmpreaper: not-affected (1.6.14)