Hello! Leo Famulari <l...@famulari.name> skribis:
> There's a format string vulnerability (with unknown impact) in our dbus: > > http://seclists.org/oss-sec/2016/q4/85 > > Please read that message and the linked bug report. > > My understanding of the upsream analysis of the format string > vulnerability is that only the bus owner can trigger it. So, if the > vulnerability allows arbitrary code execution, it would mean that root > could execute arbitrary code via the system bus... not a huge problem. > But still undesirable. Yeah, seems hard to exploit. Apparently even if we’re not using systemd activations we could be vulnerable, because it’s about how specific messages are processed, IIUC. > What do you think? Should we update this on core-updates? I think so. > Should we graft it on master? Unless there are possible ABI incompatibilies, it probably doesn’t hurt to do that. Thank you! Ludo’.