pesign-0.112-27.el8

エラータID: AXSA:2023-5253:04

Release date: 
Wednesday, April 5, 2023 - 01:07
Subject: 
pesign-0.112-27.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The pesign packages provide the pesign utility for signing UEFI binaries as well as other associated tools.

Security Fix(es):

* pesign: Local privilege escalation on pesign systemd service (CVE-2022-3560)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-3560
A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.

Solution: 

Update packages.

CVEs: 
CVE-2022-3560
A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.
Additional Info: 

N/A

Download: 

SRPMS
  1. pesign-0.112-27.el8.src.rpm
    MD5: b0a02e2893698b7a6893e300ad0739e6
    SHA-256: 4534c20f0f324f779122a926f5f57640b5809b3ef022b45e82a095ade38b0199
    Size: 142.79 kB

Asianux Server 8 for x86_64
  1. pesign-0.112-27.el8.x86_64.rpm
    MD5: f1d1d5467eb6e10ac9a3a9e78896008d
    SHA-256: 26518322cbadf707aeb90e92f82362d7f94a78267543be978f7f70d8d24aa7a0
    Size: 179.35 kB