pesign-115-6.el9.ML.1

エラータID: AXSA:2023-5201:02

Release date: 
Tuesday, March 7, 2023 - 06:00
Subject: 
pesign-115-6.el9.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The pesign packages provide the pesign utility for signing UEFI binaries as well as other associated tools.

Security Fix(es):

* pesign: Local privilege escalation on pesign systemd service (CVE-2022-3560)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-3560
A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. pesign-115-6.el9.ML.1.src.rpm
    MD5: fa78a2ea5d23e84a70513beffd1eeaed
    SHA-256: 948801d3de92163fe5d60279356377bb99e5c8df3947b8d536cf3a922b6c7ed2
    Size: 145.07 kB

Asianux Server 9 for x86_64
  1. pesign-115-6.el9.ML.1.x86_64.rpm
    MD5: d5b6291cdceaa3fd734bfb017e518168
    SHA-256: 278f9812a8948b515d0d8e5ea2f93d05f7b4a83c51c4b183d34e4d64ffbf3e0a
    Size: 167.16 kB