[From nobody Sat May 2 21:07:07 2026 Received: (at 1134887-done) by bugs.debian.org; 2 May 2026 20:05:46 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-109.2 required=4.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FROMDEVELOPER, HAS_BUG_NUMBER,MD5_SHA1_SUM,SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY, USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 13; hammy, 147; neutral, 26; spammy, 0. spammytokens: hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <jamessan@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:41178) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <jamessan@debian.org>) id 1wJGaw-002WkI-19 for 1134887-done@bugs.debian.org; Sat, 02 May 2026 20:05:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date:Reply-To :Cc:Content-ID:Content-Description; bh=o3wsY3H6Abdng0HpGiS4iGotp1FYQYyf2i6aeUNuGJs=; b=gKxgHJNHOAOWpLuqA8tZy9RV3r U2Ib0tfLB+DBQ98Y64dydAuIWV/rs3l2YqTliwcBtZk3DxxOO2zL/JfRUKUfAGznn7fjOjpu5S6d7 ucFwO7l5aVtZ+Wz+Suqb9UjWG57P2Mvl5yrtggVwctukDOMphOLKpwS9VLuWQ7v9TGPTQ+AQq8H8U HQ7ISWWm/yEwPfyk67/cIDoJ2wBuPZ3jXGctuy9f9xVl29IW3w7SHljRYGtvfqDgzpSvDy9qo3GMQ 04yTcKJ0wiqohqKwgT06AL8OpnDXqODo7ba6QHA9yoBk/shiO1ji153RauIy4s50T4fs1fLpuMjwS tKGtFu/A==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <jamessan@debian.org>) id 1wJGau-000k0q-23; Sat, 02 May 2026 20:05:44 +0000 Received: from jamessan by odin with local (Exim 4.99.2) (envelope-from <jamessan@debian.org>) id 1wJGaq-00000003AAi-267O; Sat, 02 May 2026 16:05:40 -0400 Date: Sat, 2 May 2026 16:05:40 -0400 From: James McCoy <jamessan@debian.org> To: Moritz =?utf-8?Q?M=C3=BChlenhoff?= <jmm@inutil.org>, 1134887-done@bugs.debian.org Subject: Re: Bug#1134887: skim: CVE-2026-41414 Message-ID: <afZYx_eA-TWr7WWB@localhost> References: <aeygTGjaETX0JNtE@pisco.westfalen.local> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <aeygTGjaETX0JNtE@pisco.westfalen.local> X-Debian-User: jamessan On Sat, Apr 25, 2026 at 01:06:52PM +0200, Moritz Mühlenhoff wrote: >CVE-2026-41414[0]: >| Skim is a fuzzy finder designed to through files, lines, and >| commands. The generate-files job in .github/workflows/pr.yml checks >| out attacker-controlled fork code and executes it via cargo run, >| with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN >| (contents:write). No gates prevent exploitation - any GitHub user >| can trigger this by opening a pull request from a fork. This >| vulnerability is fixed with commit >| bf63404ad51985b00ed304690ba9d477860a5a75. This is a vulnerability in a GitHub action workflow, not skim iself. Thus, this is irrelevant for Debian. Cheers, -- James (he/him) GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB]