intrigeri: > Control: tag -1 + security > > Donncha O'Cearbhaill: >> Thank you Phil for providing a backport patch. What is the next step >> needed to get this fix released as a backport? The .desktop security >> issue is widely know and can be exploited in the wild [1]. IMO this >> fixed should be made available as soon as possible. > > IMO the next step is to find out the answer to "Is there any plan > upstream to backport this fix to their 3.22.x branch, and/or to > request a CVE?": if this problem is as severe as it sounds, then it > should be tracked as a security issue and fixed cross-distro, rather > than patched in only the distros that are lucky enough to have users > who care about such things. >
The upstream developer has indicated that he willing to make a 3.22.x release if a backport patch is provided. I've sent him a link to Phil Wyett's debdiff which I hope is acceptable. I will also file a CVE request for this issue which should help to coordinate the release of this fix for other distros. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=777991