On Tue, Jul 15, 2025 at 02:49:55PM +0100, Simon McVittie wrote:
> On Tue, 15 Jul 2025 at 14:29:13 +0200, Moritz Mühlenhoff wrote:
> > The following vulnerability was published for policykit-1.
> >
> > CVE-2025-7519[0]:
> > | When processing an XML policy with 32 or
> > | more nested elements in depth
> [...]
> > | | To exploit
> > | this flaw, a high-privilege account is needed
>
> Honestly, I don't think this is a security vulnerability and I think the CVE
> should have been rejected. I think it's just a bug.
Hence my "Labelling this a security issue seems to be a bit of a stretch..."
in the report, since you concur I've marked it as a non issue in the Security
Tracker. For unstable we can simply close the bug when it reaches sid after
the next rebase post trixie release.
Cheers,
Moritz
