Daniel Baumann - Posts in debian

Debian: Linux Vulnerability Mitigation (pintheft)

2026-05-20T14:27:32+00:00

Following the series of various Linux exploits of the last three weeks, the bug of today is pintheft [no CVE yet] which is local root privilege escalations.

The vulnerability can be mitigated by unloading and blocking rds modules, linux-vulnerability-mitigation as of 20260519-1 (uploaded to sid, trixie-fastforward-backports and people.debian.org/~daniel) does that automatically for you.

Updates:

default Debian kernels (bullseye, bookworm, trixie, and testing/unstable, experimental) are not directly affected because autoloading of the rds modules is disabled by rds-Disable-auto-loading-as-mitigation-against-local.patch.

Debian: Linux Vulnerability Mitigation (ssh-keysign-pwn)

2026-05-15T00:14:39+00:00

After the Linux local root privilege escalations of the last two weeks, the bug of today is ssh-keysign-pwn [CVE-2026-46333] which allows to read root-owned files as an unprivileged user.

Exploiting the vulnerability doesn’t require to load any specific modules like the bugs from the last weeks, this one needs to be fixed by rebooting the system into an updated kernel.

I’ve cherry-picked the upstream commit to fix it in trixie-fastforward-backports (linux 7 backports for trixie), confirmed that the exploits don’t work anymore, and submitted a merge request for sid.

Updates:

linux-vulnerability-mitigation 20260515-1 contains a partial mitigation for ssh-keysign-pwn (this makes all exploits known so far to stop working, however, there’s definitely more needed), thanks to Salvatore Bonaccorso (carnil): echo 2 > /proc/sys/kernel/yama/ptrace_scope

linux-vulnerability-mitigation is uploaded to sid - until it is available on deb.debian.org, use people.debian.org/~daniel

linux 7.0.7-1 is uploaded to trixie-fastforward-backports as 7.0.7-1~ffwd13+u1, replacing the previously cherry-picked 7.0.4-1~ffwd13+u2 upload

Added references to [CVE-2026-46333]

Debian: Linux Vulnerability Mitigation (Dirty Frag)

2026-05-08T03:19:10+00:00

After Copy Fail [CVE-2026-31431] from last week, the new Linux local root privilege escalations of today are Dirty Frag (Part 1) aka Copy Fail 2 [CVE-2026-43284] and Dirty Frag (Part 2) [CVE-2026-43500].

For those who can not update to linux >= 7.0.4-1 that was uploaded to sid and contains the needed fixes (backports for trixie are available in trixie-fastforward-backports), or are waiting for backports and updates to older Debian releases, or can’t reboot on short notice, mitigations might be needed.

Given the current trend, it seems we will see more of these bugs in the future. Therefore, I’ve uploaded a new package linux-vulnerability-mitigation to sid containing the mitigation for both Copy Fail and Dirty Frag (with debconf multiselect).

It can also be downloaded from here:

Tracker: https://tracker.debian.org/pkg/linux-vulnerability-mitigation

Deb: https://deb.debian.org/debian/pool/main/l/linux-vulnerability-mitigation

Git: https://forgejo.debian.net/linux/linux-vulnerability-mitigation

Man: https://manpages.debian.org/linux-vulnerability-mitigation/linux-vulnerability-mitigation.7.en.html

The package is architecture independent, has no dependencies, and can be installed on any version of Debian or Debian derivative.

Updates:

Added references to Dirty Frag Part 2 [CVE-2026-43500]

Updated links to linux-vulnerability-mitigation now that it passed the NEW queue

Debian Fast Forward: An alternative backports repository

2026-02-28T10:23:07+00:00

The Debian project releases a new stable version of its Linux distribution approximately every two years. During its life time, a stable release usually gets security updates only, but in general no feature updates.

For some packages it is desirable to get feature updates earlier than with the next stable release. Some new packages included in Debian after the initial release of a stable distribution are desirable for stable too.

Both use-cases can be solved by recompiling the newer version of a package from testing/unstable on stable (aka backporting). Packages are backported together with only the minimal amount of required build-depends or depends not already fulfilled in stable (if any), and without any changes unless required to fix building on stable (if needed).

There are official Debian Backports available, as well as several well-known unofficial backports repositories. I have been involved in one of these unofficial repositories since 2005 which subsequently turned 2010 into its own Debian derivative, mixing both backports and modified packages in one repository for simplicity.

Starting with the Debian 13 (trixie) release, the (otherwise unmodified) backports of this derivative have been split out from the derivative distribution into a separate repository. This way the backports are more accessible and useful for all interested Debian users too.

TL;DR: Debian Fast Forward - https://fastforward.debian.net

is an alternative Debian repository containing complementary backports from testing/unstable to stable

with packages organized in a curated, self-contained selection of coherent sets

supporting amd64, i386, and arm64 architectures

containing around 400 packages in trixie-fastforward-backports

with 1’800 uploads since July 2025

End user documentation about how to enable Debian Fast Forward is available.

Have fun!