dx-packages team mailing list archive

Thread
Date

[Bug 1974250] Re: ~/.pam_environment gets created as owned by root

To: dx-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1974250@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 May 2022 20:30:06 -0000
Reply-to: Bug 1974250 <1974250@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This bug was fixed in the package accountsservice - 22.07.5-2ubuntu2

---------------
accountsservice (22.07.5-2ubuntu2) kinetic; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: accountsservice incorrect privilege dropping
    (LP: #1974250)
    - debian/patches/0009-language-tools.patch: updated to not reset
      effective uid, and migrate root-owned .pam_environment file.
    - This change was originally known as CVE-2020-16126 and got reverted
      by mistake in 0.6.55-3ubuntu1.
    - CVE-2022-1804
  * Fix FTBFS with a newer python-dbusmock package:
    - debian/patches/adduser_invocation.patch: fix invocation of AddUser in
      tests/dbusmock/accounts_service.py.
    - debian/patches/setlocked_signature.patch: fix the signature for the
      SetLocked call in tests/dbusmock/accounts_service.py.

 -- Gunnar Hjalmarsson <gunnarhj@xxxxxxxxxx>  Tue, 24 May 2022 19:53:07
+0200

** Changed in: accountsservice (Ubuntu Kinetic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to accountsservice in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1974250

Title:
  ~/.pam_environment gets created as owned by root

Status in accountsservice package in Ubuntu:
  Fix Released
Status in accountsservice source package in Jammy:
  Fix Released
Status in accountsservice source package in Kinetic:
  Fix Released

Bug description:
  Something has happened lately with accountsservice, which makes it act
  as root instead of the current user when creating ~/.pam_environment.
  The very old bug #904395 comes to mind, and this smells a security
  issue.

  The function which is supposed to prevent this behavior is here:

  https://salsa.debian.org/freedesktop-
  team/accountsservice/-/blob/ubuntu/debian/patches/0010-set-
  language.patch#L75

  Haven't investigated further yet.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/1974250/+subscriptions