Bug 13296

Summary: [CVE 21] pesign 115 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: High CC: a.proklov, m.novosyolov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: 2021.1 Fresh R12   
Hardware: All   
OS: Linux   
URL: CVE-2022-3560,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-03 18:01:48 MSK 
Please patch CVEs for package pesign version 115
  
INFO (CVEs are): pesign 115
 cves found
CVE-2022-3560
Desc: A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-3560
Severity: MEDIUM
Comment 1 Mikhail Novosyolov 2023-05-15 15:15:45 MSK 
можно поднять версию
Comment 2 Svyatoslav Matveev 2023-05-17 09:21:12 MSK 
********** QA ADVISORY **********

Cve закрыто обновлением проекта.

*** pesign
**  upd: 115 -> 116

https://abf.io/build_lists/4440832
https://abf.io/build_lists/4440833
https://abf.io/build_lists/4440831
https://abf.io/build_lists/4440835
Comment 3 Dmitry Postnikov 2023-05-19 13:19:01 MSK 
***************************
The update sent to testings
Comment 4 Vladimir Potapov 2023-05-30 18:29:50 MSK 
pesign-116-1
https://abf.io/build_lists/4440832
https://abf.io/build_lists/4440833
https://abf.io/build_lists/4440831
https://abf.io/build_lists/4440835
***************************** Advisory ***********************
 upd: 115 -> 116 for CVE fix
**************************************************************
QA Verified
Comment 5 Yury 2023-07-25 14:04:45 MSK 
Secteam Verified