1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1104932: finit: CVE-2025-32022

    From Salvatore Bonaccorso@21:1/5 to All on Thu May 8 21:40:01 2025
    Source: finit
    Version: 4.11-1
    Severity: grave
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for finit.

    CVE-2025-32022[0]:
    | Finit provides fast init for Linux systems. Finit's urandom plugin
    | has a heap buffer overwrite vulnerability at boot which leads to it
    | overwriting other parts of the heap, possibly causing random
    | instabilities and undefined behavior. The urandom plugin is enabled
    | by default, so this bug affects everyone using Finit 4.2 or later
    | that do not explicitly disable the plugin at build time. This bug is
    | fixed in Finit 4.12. Those who cannot upgrade or backport the fix to
    | urandom.c are strongly recommended to disable the plugin in the call
    | to the `configure` script.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-32022
    https://www.cve.org/CVERecord?id=CVE-2025-32022
    [1] https://github.com/troglobit/finit/security/advisories/GHSA-fv6v-vw8h-9x79 [2] https://github.com/troglobit/finit/commit/3feff37ba51fa0a6a0a06f59682a0918aa5b04de

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Mon May 19 21:40:01 2025
    This is a multi-part message in MIME format...

    Your message dated Mon, 19 May 2025 19:34:59 +0000
    with message-id <E1uH6GJ-0062BA-8F@fasolo.debian.org>
    and subject line Bug#1104932: fixed in finit 4.12-1
    has caused the Debian Bug report #1104932,
    regarding finit: CVE-2025-32022
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1104932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104932
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 8 May 2025 19:33:07 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-9.5 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,MD5_SHA1_SUM,RCVD_IN_VALIDITY_RPBL_BLOCKED,
    RCVD_IN_VALIDITY_SAFE_BLOCKED,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
    XMAILER_REPORTBUG autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 30; hammy, 149; neutral, 44; spammy,
    1. spammytokens:0.944-+--H*r:bugs.debian.org
    hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
    0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan, 0.000-+--H*M:reportbug Return-path: <carnil@debian.org>
    Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:41120 helo=elda