Ubuntu has issued an advisory on December 8: http://www.ubuntu.com/usn/usn-1296-1/ Patched package uploaded for Mageia 1, Mageia 2, and Cauldron. CVE-2011-4578 was later fixed upstream and only affects Mageia 1. Advisory (Mageia 1): ======================== Updated acpid package fixes security vulnerabilities: Oliver-Tobias Ripka discovered that an ACPI script incorrectly handled power button events. A local attacker could use this to execute arbitrary code, and possibly escalate privileges. The script is installed as /usr/share/doc/acpid/samples/powerbtn/powerbtn.sh, so this only affects systems where this has been added to the acpi configuration (CVE-2011-2777). Helmut Grohne and Michael Biebl discovered that ACPI scripts were executed with a permissive file mode creation mask (umask). A local attacker could read files and modify directories created by ACPI scripts that did not set a strict umask (CVE-2011-4578). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4578 Advisory (Mageia 2): ======================== Updated acpid package fixes security vulnerability: Oliver-Tobias Ripka discovered that an ACPI script incorrectly handled power button events. A local attacker could use this to execute arbitrary code, and possibly escalate privileges. The script is installed as /usr/share/doc/acpid/samples/powerbtn/powerbtn.sh, so this only affects systems where this has been added to the acpi configuration (CVE-2011-2777). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2777 ======================== Updated packages in core/updates_testing: ======================== acpid-2.0.9-1.1.mga1 acpid-2.0.14-4.1.mga2 from SRPMS: acpid-2.0.9-1.1.mga1.src.rpm acpid-2.0.14-4.1.mga2.src.rpm
Whiteboard: (none) => MGA1TOO
Testing complete on Mageia 2 x86-64. Just testing that it works. For the test, I switched to run level 3, logged in as root, stopped the acpid service, and ran "acpid -ld>acpid.log 2>&1", then pressed the power button. After restarting, the log shows it detected the power button and ran /etc/acpi/actions/pm-fallback-shutdown, which powered off the system cleanly. I'll test Mageia 2 i586 shortly.
CC: (none) => davidwhodgins
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK
Testing complete on Mageia 2 i586, Mageia 1 x86-64 and Maeia 1 i586. Could someone from the sysadmin team push the srpm acpid-2.0.14-4.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm acpid-2.0.9-1.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. See the Description for the two different advisories.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO MGA2-64-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
Update pushed: Mageia 1: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0215 Mageia 2: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0216
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED