CVE-2022-2787: 
Linux Debian vulnerability analysis and mitigation

Schroot before version 1.6.13 contained a vulnerability (CVE-2022-2787) related to overly permissive rules on chroot or session names. The vulnerability was discovered by Julian Gilbey and publicly disclosed in August 2022. This security issue affected the schroot utility, which is a tool allowing users to execute commands in a chroot environment (Debian LTS, Debian Security).

The vulnerability stemmed from broad rules implemented in commit 8c1c9370 regarding the allowed characters in chroot or session names. Some of these permitted characters could break schroot's internal state or cause issues in various backends. The fix implemented stricter character limitations, allowing only letters and digits at the start of names, and additionally permitting dots, dashes, and underscores in subsequent positions (Codeberg Commit).

The vulnerability could allow an attacker to cause a denial of service on the schroot service, affecting all users who have permission to start a schroot session. This impact would affect the system's ability to execute commands in chroot environments (Gentoo Security, Ubuntu Security).

The issue was fixed in schroot version 1.6.13. System administrators can check for problematic session and chroot names before upgrading using the command: schroot --list --all | LCALL=C grep -vE '^[a-z]+:[a-zA-Z0-9][a-zA-Z0-9.-]*$'. The upgrade process includes checks for existing chroots and sessions, and will abort if any invalid names are detected (Debian LTS).