| Package | util-linux |
|---|---|
| Version | 2.26.2+really2.25.2-6+deb8u2 (jessie), 2.29.2-1+deb9u3 (stretch) |
| Related CVEs | CVE-2024-28085 |
Skyler Ferrante discovered that the wall(1) utility found in
util-linux, a collection of system utilities for Linux, does not
filter escape sequences from command line arguments. This allows
unprivileged local users to put arbitrary text on other users
terminals if mesg is set to ‘y’ and the wall executable is setgid,
which could lead to information disclosure.
With this update the wall executable is no longer installed setgid
tty.
For Debian 8 jessie, these problems have been fixed in version 2.26.2+really2.25.2-6+deb8u2.
For Debian 9 stretch, these problems have been fixed in version 2.29.2-1+deb9u3.
We recommend that you upgrade your util-linux packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.