Control: found -1 26-1 On Wed, 22 Jun 2022 20:53:50 +0200 Salvatore Bonaccorso <car...@debian.org> wrote: > Hi, > > On Wed, Jun 22, 2022 at 07:26:57PM +0100, Luca Boccassi wrote: > > Control: fixed -1 31-1 > > > > On Wed, 22 Jun 2022 11:36:32 +0200 =?UTF- 8?Q?Moritz_M=C3=BChlenhoff?= > > <j...@inutil.org> wrote: > > > Source: dbus-broker > > > X-Debbugs-CC: t...@security.debian.org > > > Severity: important > > > Tags: security > > > > > > Hi, > > > > > > The following vulnerability was published for dbus-broker. > > > > > > This was assigned CVE-2022-31212: > > > https://bugzilla.redhat.com/show_bug.cgi?id=2094718 > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > > > For further information see: > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31212 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212 > > > > > > Please adjust the affected versions in the BTS as needed. > > > > This appears to be already fixed in unstable and testing, at least > > according to this message on bugzilla that says v31 includes the fix: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2094720#c2 > > > > Although it is unclear precisely which commit/patch fixed it? > > From https://bugzilla.suse.com/show_bug.cgi?id=1200332#c1 I would say > this is the following change: > > https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1 > > and so it should be fixed since dbus-broker/30-1 uploaded to unstable.
Got it - but the vulnerable code is then also present in v26, which is in Bullseye. Do we need a DSA? Otherwise I can just do a proposed- updates upload? Or should we ignore it altogether? c_shquote_strnspn() is used by various functions in the submodule, which eventually chain to c_shquote_parse_argv(), which is used by src/launcher/launcher.c to parse the command line arguments on invocation. Given the command line arguments are fixed in the unit files, it seems to me it requires elevated privileges to exploit, so severity seems minor at worst to me. -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
