[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates
From: |
Ludovic Courtès |
Subject: |
Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates |
Date: |
Mon, 10 Oct 2016 22:57:47 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Hello!
Leo Famulari <address@hidden> skribis:
> There's a format string vulnerability (with unknown impact) in our dbus:
>
> http://seclists.org/oss-sec/2016/q4/85
>
> Please read that message and the linked bug report.
>
> My understanding of the upsream analysis of the format string
> vulnerability is that only the bus owner can trigger it. So, if the
> vulnerability allows arbitrary code execution, it would mean that root
> could execute arbitrary code via the system bus... not a huge problem.
> But still undesirable.
Yeah, seems hard to exploit. Apparently even if we’re not using systemd
activations we could be vulnerable, because it’s about how specific
messages are processed, IIUC.
> What do you think? Should we update this on core-updates?
I think so.
> Should we graft it on master?
Unless there are possible ABI incompatibilies, it probably doesn’t hurt
to do that.
Thank you!
Ludo’.