On Wed, 22 Jun 2022 20:06:14 +0100 Luca Boccassi <bl...@debian.org> wrote: > Control: found -1 26-1 > > On Wed, 22 Jun 2022 20:53:50 +0200 Salvatore Bonaccorso > <car...@debian.org> wrote: > > Hi, > > > > On Wed, Jun 22, 2022 at 07:26:57PM +0100, Luca Boccassi wrote: > > > Control: fixed -1 31-1 > > > > > > On Wed, 22 Jun 2022 11:36:32 +0200 =?UTF- > 8?Q?Moritz_M=C3=BChlenhoff?= > > > <j...@inutil.org> wrote: > > > > Source: dbus-broker > > > > X-Debbugs-CC: t...@security.debian.org > > > > Severity: important > > > > Tags: security > > > > > > > > Hi, > > > > > > > > The following vulnerability was published for dbus-broker. > > > > > > > > This was assigned CVE-2022-31212: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2094718 > > > > > > > > If you fix the vulnerability please also make sure to include the > > > > CVE (Common Vulnerabilities & Exposures) id in your changelog > entry. > > > > > > > > For further information see: > > > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31212 > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212 > > > > > > > > Please adjust the affected versions in the BTS as needed. > > > > > > This appears to be already fixed in unstable and testing, at least > > > according to this message on bugzilla that says v31 includes the > fix: > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2094720#c2 > > > > > > Although it is unclear precisely which commit/patch fixed it? > > > > From https://bugzilla.suse.com/show_bug.cgi?id=1200332#c1 I would say > > this is the following change: > > > > > https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1 > > > > and so it should be fixed since dbus-broker/30-1 uploaded to > unstable. > > Got it - but the vulnerable code is then also present in v26, which is > in Bullseye. Do we need a DSA? Otherwise I can just do a proposed- > updates upload? Or should we ignore it altogether? > > c_shquote_strnspn() is used by various functions in the submodule, > which eventually chain to c_shquote_parse_argv(), which is used by > src/launcher/launcher.c to parse the command line arguments on > invocation.
The backport is trivial, shall I do an upload to bullseye-security? -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
