CVE-2017-11746

NameCVE-2017-11746
DescriptionTenshi 0.15 creates a tenshi.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tenshi.pid modification before a root script executes a "kill `cat /pathname/tenshi.pid`" command.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1069-1
Debian Bugs871321

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tenshi (PTS)stretch0.13-2.1~deb9u1fixed
buster0.13-2.1fixed
bullseye, bookworm0.13-7fixed
sid, trixie0.13-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tenshisourcewheezy0.13-2+deb7u1DLA-1069-1
tenshisourcestretch0.13-2.1~deb9u1
tenshisource(unstable)0.13-2.1unimportant871321

Notes

https://github.com/inversepath/tenshi/issues/6
https://github.com/inversepath/tenshi/commit/d0e7f28c13ffbd5888b31d6532c2faf78f10f176
Negligible security impact

Search for package or bug name: Reporting problems