The upstream patch patches "c->description" which is not used in Jessie. OK, so probably not vulnerable.
Looking at data/dla-needed.txt: libqb NOTE: 20190616: Upstream patch does not apply at all, but it appears that NOTE: 20190616: package is still vulnerable in ipc_posix_mq.c etc. or NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby) OK, Good point. However these files are opened with posix_mq_create, which uses O_EXCL - my understanding is that this means these functions are not vulnerable to symlink attacks, etc. However lib/ipc_shm.c has calls to qb_rb_open, which doesn't have O_EXCL, thinking this might be a vulnerability. lib/log_blackbox.c looks similar. qb_rb_open calls qb_sys_mmap_file_open which in turn calls open_mmap_file which can support calling mkstemp to generate the filename, however I think this isn't getting used (no XXXXXX in filename string), so vulnerable still. If you want to look at libqb probably worth double checking this in case I got something wrong/confused :-) -- Brian May <br...@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/