CVE-2017-11746

NameCVE-2017-11746
DescriptionTenshi 0.15 creates a tenshi.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tenshi.pid modification before a root script executes a "kill `cat /pathname/tenshi.pid`" command.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1069-1
NVD severityhigh (attack range: remote)
Debian Bugs871321

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tenshi (PTS)wheezy (security)0.13-2+deb7u1fixed
wheezy, buster, sid, stretch0.13-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tenshisource(unstable)(unfixed)unimportant871321
tenshisourcewheezy0.13-2+deb7u1highDLA-1069-1

Notes

https://github.com/inversepath/tenshi/issues/6
https://github.com/inversepath/tenshi/commit/d0e7f28c13ffbd5888b31d6532c2faf78f10f176
Negligable security impact

Search for package or bug name: Reporting problems