On Sat, Dec 12, 2020 at 10:32:06AM +0100, Salvatore Bonaccorso wrote: > Source: libappimage > Version: 0.1.9+dfsg-1 > Severity: important > Tags: security upstream > Forwarded: https://github.com/AppImage/libappimage/pull/146 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for libappimage. > > CVE-2020-25265[0]: > | AppImage libappimage before 1.0.3 allows attackers to trigger an > | overwrite of a system-installed .desktop file by providing a .desktop > | file that contains Name= with path components.
I'm not entirely sure if the issue is present as well in 0.1.9. The code is different but 0.2.0 merged the desktop_integration part into libappimage, before the rename/merge of the sources files. I have one comment: There seem to be no users of libappimage within Debian (anymore), and has low popcon, and said security issue. Should possibly libappimage be removed for bullseye? It would be possible: $ dak rm --suite=sid -n -R libappimage Will remove the following packages from sid: libappimage | 0.1.9+dfsg-1 | source libappimage-dev | 0.1.9+dfsg-1+b1 | amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x libappimage0 | 0.1.9+dfsg-1+b1 | amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x Maintainer: Scarlett Moore <sgmo...@kde.org> ------------------- Reason ------------------- ---------------------------------------------- Checking reverse dependencies... No dependency problem found. Or is there something I miss right now? Otherwise it probably should be updated straight to 1.0.3 for bullseye in time. Regards, Salvatore
