Hi Luca,

On Wed, Jun 22, 2022 at 08:06:14PM +0100, Luca Boccassi wrote:
> Control: found -1 26-1
> 
> On Wed, 22 Jun 2022 20:53:50 +0200 Salvatore Bonaccorso
> <car...@debian.org> wrote:
> > Hi,
> > 
> > On Wed, Jun 22, 2022 at 07:26:57PM +0100, Luca Boccassi wrote:
> > > Control: fixed -1 31-1
> > > 
> > > On Wed, 22 Jun 2022 11:36:32 +0200 =?UTF-
> 8?Q?Moritz_M=C3=BChlenhoff?=
> > > <j...@inutil.org> wrote:
> > > > Source: dbus-broker
> > > > X-Debbugs-CC: t...@security.debian.org
> > > > Severity: important
> > > > Tags: security
> > > > 
> > > > Hi,
> > > > 
> > > > The following vulnerability was published for dbus-broker.
> > > > 
> > > > This was assigned CVE-2022-31212:
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=2094718
> > > > 
> > > > If you fix the vulnerability please also make sure to include the
> > > > CVE (Common Vulnerabilities & Exposures) id in your changelog
> entry.
> > > > 
> > > > For further information see:
> > > > 
> > > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31212
> > > >???????? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212
> > > > 
> > > > Please adjust the affected versions in the BTS as needed.
> > > 
> > > This appears to be already fixed in unstable and testing, at least
> > > according to this message on bugzilla that says v31 includes the
> fix:
> > > 
> > > https://bugzilla.redhat.com/show_bug.cgi?id=2094720#c2
> > > 
> > > Although it is unclear precisely which commit/patch fixed it?
> > 
> > From https://bugzilla.suse.com/show_bug.cgi?id=1200332#c1??I would say
> > this is the following change:
> > 
> >
> https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1
> > 
> > and so it should be fixed since dbus-broker/30-1 uploaded to
> unstable.
> 
> Got it - but the vulnerable code is then also present in v26, which is
> in Bullseye. Do we need a DSA? Otherwise I can just do a proposed-
> updates upload? Or should we ignore it altogether?
> 
> c_shquote_strnspn() is used by various functions in the submodule,
> which eventually chain to c_shquote_parse_argv(), which is used by
> src/launcher/launcher.c to parse the command line arguments on
> invocation.
> 
> Given the command line arguments are fixed in the unit files, it seems
> to me it requires elevated privileges to exploit, so severity seems
> minor at worst to me.

Gut feeling, to me this looks something which can be fixed in the
upcoming point release but would not need a DSA. Will leave the final
decision on it though to Moritz.

Salvatore

Reply via email to