From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-announce+bounces-3034-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id B785D158020
	for <garchives@archives.gentoo.org>; Mon, 31 Oct 2022 01:57:54 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5D460E09C7;
	Mon, 31 Oct 2022 01:45:27 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id B51ECE07EE
	for <gentoo-announce@lists.gentoo.org>; Mon, 31 Oct 2022 01:09:01 +0000 (UTC)
Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165])
	by smtp.gentoo.org (Postfix) with ESMTP id 1F238340DA4
	for <gentoo-announce@lists.gentoo.org>; Mon, 31 Oct 2022 01:09:01 +0000 (UTC)
Received: from [172.18.0.3] (unknown [172.18.0.3])
	by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 03A758CAA0
	for <gentoo-announce@lists.gentoo.org>; Mon, 31 Oct 2022 01:09:01 +0000 (-00)
Subject: [gentoo-announce] [ GLSA 202210-11 ] schroot: Denial of Service
Precedence: bulk
List-Post: <mailto:gentoo-announce@lists.gentoo.org>
List-Help: <mailto:gentoo-announce+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-announce+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-announce+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-announce.gentoo.org>
X-BeenThere: gentoo-announce@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 micalg="pgp-sha512"; boundary="===============4895136932483469009=="
From: glsamaker@gentoo.org
To: gentoo-announce@lists.gentoo.org
Reply-To: security@gentoo.org
Date: Mon, 31 Oct 2022 01:09:00 -0000
Message-ID: <166717854101.9.5856572838700751803@90bb6a0775af>
X-Archives-Salt: ab2a9f2d-ceb7-4828-84c4-50630527cd93
X-Archives-Hash: 62ec31e3afed64ce3a6e9b6350ddb02c

--===============4895136932483469009==
Content-Type: text/plain; charset="utf-8"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 202210-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low
    Title: schroot: Denial of Service
     Date: October 31, 2022
     Bugs: #867016
       ID: 202210-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in schroot which could result in
denial of service of the schroot service.

Background
==========

schroot is a utility to execute commands in a chroot environment.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  dev-util/schroot           < 1.6.13_p2              >= 1.6.13_p2

Description
===========

schroot is unecessarily permissive in rules regarding chroot and session
names.

Impact
======

A crafted chroot or session name can break the internal state of the
schroot service, leading to denial of service.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All schroot users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-util/schroot-1.6.13"

References
==========

[ 1 ] CVE-2022-2787
      https://nvd.nist.gov/vuln/detail/CVE-2022-2787

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-11

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5
--===============4895136932483469009==
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmNfICwACgkQFMQkOaVy
+9kZhg/9GYPIZvspBdDcgQLgAuoggszl9hLN7nyvITWCIG7fgZ7pMLJP2o8W+il9
PI62zXJ1aE9BZJ1KCh0H85wAnIPTNfHwkwHEwvclP0qgTGmAflIBIgPcJSp16mJK
YkAJDQh9kwTeWuFb4vEVMRdhIA8s9X7MWbi04OfwpCaD+9h3/Ny96pyzd5BZlQu1
fJPvKo8JPEsxNErf9tmVGcclRrfq8KpzY5jff5wStVo/0Wv80l/ELyzVjA4RahgN
YRxeaYCSYYXoIp/Po+F2W/aRFopith+UvsQ4/3951+AI6IF9UhK3tJJr+LIVmIzA
KKfyxYRUW+b58c0mOCJpAzE84Y8W+GiQyToynMwWqGUNh8tDr2z9ZTlx8BcHwDYF
duK0fwg97gh5KjiSFlhIKjOG+SgNRGTm529C7o8AHQs29Ob8UFh6iZ/K2t9IO/za
7wJgMchzEqPYqKAdlhc1YIAl70bVn0vAOrHlk76zosjsE9axubYsMQqME4ad1kD8
h1V4I8/2BLXp+omnjrvIaFSYQva2NH1W6S02nhhmpqsYVxNEzeR3j7Wyw3XVwUih
G//Qwbly7UK9yZEVEgabnVksp5ioHAlfveQL3tdgbdrjOYl1Z6IgVGPLL1DZwu5H
tshgKegDK+Qk8IAiV8+mbU1aF/mKrqJgBUULyc+Iw9qP5JpGetc=
=YB4F
-----END PGP SIGNATURE-----

--===============4895136932483469009==--