CVE-2011-2777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2777): samples/powerbtn/powerbtn.sh in acpid (aka acpid2) 2.0.16 and earlier uses the pidof program incorrectly, which allows local users to gain privileges by running a program with the name kded4 and a DBUS_SESSION_BUS_ADDRESS environment variable containing commands. References (with patch): https://bugs.launchpad.net/ubuntu/+source/acpid/+bug/893821
Let's stabilize 2.0.17 then
amd64 stable
x86 stable
Thanks, everyone. GLSA request filed. IA64 should continue with stabilization, but not needed for GLSA.
ia64 stable
Ok, so 2.0.17 is stable for all architectures 2.0.16 was stable before and 2.0.16 was removed from the tree, is there still anything left or can we close this one?
I think once you drop vulnerable versions, that is all from maintainer part and you can unCC, while keeping bug opened to let security team fill glsa and that things
Ok, so vulnerable version dropped, everything ready for security guys :-) Thanks.
This issue was resolved and addressed in GLSA 201310-20 at http://security.gentoo.org/glsa/glsa-201310-20.xml by GLSA coordinator Sergey Popov (pinkbyte).