CVE-2022-21944 vulnerability found in the package

facebook / watchman

Watches files and records, or triggers actions, when they change.

https://facebook.github.io/watchman/

MIT License

12.57k stars 987 forks source link

CVE-2022-21944 vulnerability found in the package #1027

Closed Dipenduroy closed 2 years ago

Dipenduroy commented 2 years ago

Filename: fb-watchman:2.0.1 | Reference: CVE-2022-21944 | CVSS Score: 7.8 | Category: CWE-59 | A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1.

chadaustin commented 2 years ago

@Dipenduroy Thanks for the heads up. Reading the CVE, it looks like a SUSE-specific packaging issue. Are you suggesting anything be done here, or is this just a notification?

pacorreia commented 2 years ago

@chadaustin seems something has to be done indeed, fb-watchman must have requirement for watchman 4.9.0, not allowing to run earlier versions, maybe other points of exploit that might be relevant for this issue

chadaustin commented 2 years ago

We don't maintain SUSE packaging, so I think Watchman itself is the off the hook.