Ubuntu
rust-pleaser package

Fixes for CVE-2021-31153, CVE-2021-31154 and CVE-2021-31155

Bug #1928381 reported by ed
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rust-pleaser (Ubuntu)
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned

Bug Description

Hello,

Matthias Gerstner of SUSE's security team discovered several CVEs in rust-pleaser.

These have since been fixed upstream and are in debian testing/sid.

The debdiff is attached, and details are in:

  <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988071>

Please note, the numeric version is simply an upstream indicator that 0.4 is was officially reviewed and free of the faults found in earlier versions. No new features were added.

Ed

Revision history for this message
ed (edneville) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue. I have uploaded a package, along with an appropriate changelog entry, into the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Please test the package once built, and if it tests successfully, comment in this bug with testing performed and we will release it as a security update.

Thanks!

Changed in rust-pleaser (Ubuntu Impish):
status: New → Fix Released
Changed in rust-pleaser (Ubuntu Hirsute):
status: New → In Progress
information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Per discussion on irc, the updated package doesn't setuid on the /usr/bin/please and /usr/bin/pleaseedit binaries. Looking into the issue revealed that the package shipped in hirsute has the same issue.

The debian/rules file overrides dh_fixperms to set the setuid bit on the binaries, but on Ubuntu dh_strip a little further along the build process seems to remove them again.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I have uploaded a new version of the package to the PPA that fixed the missing setuid bits. Please test and comment in this bug. Thanks!

Revision history for this message
ed (edneville) wrote :

Thanks for the rapid response Marc. The changes look good now.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rust-pleaser - 0.4.1-1~21.04.2

---------------
rust-pleaser (0.4.1-1~21.04.2) hirsute-security; urgency=medium

  * Rebuild for hirsute as a security update (LP: #1928381)
    - CVE-2021-31153, CVE-2021-31154, CVE-2021-31155
  * debian/control: remove "Rules-Requires-Root: no" so that the binaries
    don't lose their setuid bits.

 -- Marc Deslauriers <email address hidden> Fri, 14 May 2021 06:47:54 -0400

Changed in rust-pleaser (Ubuntu Hirsute):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.