Hi Simon, On Mon, Jun 03, 2019 at 11:34:36PM +0100, Simon McVittie wrote: > Version: 3.32.1-1 > > On Thu, 09 May 2019 at 22:34:53 +0200, Moritz Muehlenhoff wrote: > > This was assigned CVE-2019-11460: > > https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112 > > This was fixed in 3.32.1, so I believe the bug is already not present > in experimental: > > $ git grep TIOCSTI > libgnome-desktop/gnome-desktop-thumbnail-script.c: {SCMP_SYS (ioctl), > &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)}, > > I'm preparing a backport of the upstream commit to 3.30.x for buster. > (It was in 3.30.2.3, but that version has a lot of Autotools noise > for a one-line change, so it doesn't seem worth following upstream > 3.30.x releases unless/until there's a larger important fix.) > > On Thu, 09 May 2019 at 23:00:41 +0200, Salvatore Bonaccorso wrote: > > found 928732 3.32.1-1 > > ... or please reopen if you have information to the contrary?
Hmm, but not I think this was not in 3.32.*1*-1. #112 is fixed by e3dca7d49bf179f98ac114cad9f4d4889f75d90c which was included in 3.33.1. The fix went as well upstream in 3.32.1.1 and in 3.32.*2*. So I think found 3.32.1-1 was actually correct, bug it's fixed in the current version in experimental as 3.32.2-1. I checked as well by fetching 3.32.1-1 explicitly from snapshots. Regards, Salvatore
