Hi Luca, On Wed, Jun 22, 2022 at 08:06:14PM +0100, Luca Boccassi wrote: > Control: found -1 26-1 > > On Wed, 22 Jun 2022 20:53:50 +0200 Salvatore Bonaccorso > <car...@debian.org> wrote: > > Hi, > > > > On Wed, Jun 22, 2022 at 07:26:57PM +0100, Luca Boccassi wrote: > > > Control: fixed -1 31-1 > > > > > > On Wed, 22 Jun 2022 11:36:32 +0200 =?UTF- > 8?Q?Moritz_M=C3=BChlenhoff?= > > > <j...@inutil.org> wrote: > > > > Source: dbus-broker > > > > X-Debbugs-CC: t...@security.debian.org > > > > Severity: important > > > > Tags: security > > > > > > > > Hi, > > > > > > > > The following vulnerability was published for dbus-broker. > > > > > > > > This was assigned CVE-2022-31212: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2094718 > > > > > > > > If you fix the vulnerability please also make sure to include the > > > > CVE (Common Vulnerabilities & Exposures) id in your changelog > entry. > > > > > > > > For further information see: > > > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31212 > > > >???????? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212 > > > > > > > > Please adjust the affected versions in the BTS as needed. > > > > > > This appears to be already fixed in unstable and testing, at least > > > according to this message on bugzilla that says v31 includes the > fix: > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2094720#c2 > > > > > > Although it is unclear precisely which commit/patch fixed it? > > > > From https://bugzilla.suse.com/show_bug.cgi?id=1200332#c1??I would say > > this is the following change: > > > > > https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1 > > > > and so it should be fixed since dbus-broker/30-1 uploaded to > unstable. > > Got it - but the vulnerable code is then also present in v26, which is > in Bullseye. Do we need a DSA? Otherwise I can just do a proposed- > updates upload? Or should we ignore it altogether? > > c_shquote_strnspn() is used by various functions in the submodule, > which eventually chain to c_shquote_parse_argv(), which is used by > src/launcher/launcher.c to parse the command line arguments on > invocation. > > Given the command line arguments are fixed in the unit files, it seems > to me it requires elevated privileges to exploit, so severity seems > minor at worst to me.
Gut feeling, to me this looks something which can be fixed in the upcoming point release but would not need a DSA. Will leave the final decision on it though to Moritz. Salvatore