On Thu, 2022-06-23 at 07:24 +0200, Salvatore Bonaccorso wrote: > Hi Luca, > > On Wed, Jun 22, 2022 at 08:06:14PM +0100, Luca Boccassi wrote: > > Control: found -1 26-1 > > > > On Wed, 22 Jun 2022 20:53:50 +0200 Salvatore Bonaccorso > > <car...@debian.org> wrote: > > > Hi, > > > > > > On Wed, Jun 22, 2022 at 07:26:57PM +0100, Luca Boccassi wrote: > > > > Control: fixed -1 31-1 > > > > > > > > On Wed, 22 Jun 2022 11:36:32 +0200 =?UTF- > > 8?Q?Moritz_M=C3=BChlenhoff?= > > > > <j...@inutil.org> wrote: > > > > > Source: dbus-broker > > > > > X-Debbugs-CC: t...@security.debian.org > > > > > Severity: important > > > > > Tags: security > > > > > > > > > > Hi, > > > > > > > > > > The following vulnerability was published for dbus-broker. > > > > > > > > > > This was assigned CVE-2022-31212: > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2094718 > > > > > > > > > > If you fix the vulnerability please also make sure to include the > > > > > CVE (Common Vulnerabilities & Exposures) id in your changelog > > entry. > > > > > > > > > > For further information see: > > > > > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31212 > > > > > ???????? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212 > > > > > > > > > > Please adjust the affected versions in the BTS as needed. > > > > > > > > This appears to be already fixed in unstable and testing, at least > > > > according to this message on bugzilla that says v31 includes the > > fix: > > > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2094720#c2 > > > > > > > > Although it is unclear precisely which commit/patch fixed it? > > > > > > From https://bugzilla.suse.com/show_bug.cgi?id=1200332#c1??I would say > > > this is the following change: > > > > > > > > https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1 > > > > > > and so it should be fixed since dbus-broker/30-1 uploaded to > > unstable. > > > > Got it - but the vulnerable code is then also present in v26, which is > > in Bullseye. Do we need a DSA? Otherwise I can just do a proposed- > > updates upload? Or should we ignore it altogether? > > > > c_shquote_strnspn() is used by various functions in the submodule, > > which eventually chain to c_shquote_parse_argv(), which is used by > > src/launcher/launcher.c to parse the command line arguments on > > invocation. > > > > Given the command line arguments are fixed in the unit files, it seems > > to me it requires elevated privileges to exploit, so severity seems > > minor at worst to me. > > Gut feeling, to me this looks something which can be fixed in the > upcoming point release but would not need a DSA. Will leave the final > decision on it though to Moritz. > > Salvatore
Ok, given it's never been uploaded to p-u before we need pre-auth by the Release Team, so I got a head start and filed a bug to request it. Will wait for Moritz before doing an actual upload. -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
