Bug#928732: CVE-2019-11460
Salvatore Bonaccorso
carnil at debian.org
Tue Jun 4 05:19:43 BST 2019
Hi Simon,
On Mon, Jun 03, 2019 at 11:34:36PM +0100, Simon McVittie wrote:
> Version: 3.32.1-1
>
> On Thu, 09 May 2019 at 22:34:53 +0200, Moritz Muehlenhoff wrote:
> > This was assigned CVE-2019-11460:
> > https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112
>
> This was fixed in 3.32.1, so I believe the bug is already not present
> in experimental:
>
> $ git grep TIOCSTI
> libgnome-desktop/gnome-desktop-thumbnail-script.c: {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)},
>
> I'm preparing a backport of the upstream commit to 3.30.x for buster.
> (It was in 3.30.2.3, but that version has a lot of Autotools noise
> for a one-line change, so it doesn't seem worth following upstream
> 3.30.x releases unless/until there's a larger important fix.)
>
> On Thu, 09 May 2019 at 23:00:41 +0200, Salvatore Bonaccorso wrote:
> > found 928732 3.32.1-1
>
> ... or please reopen if you have information to the contrary?
Hmm, but not I think this was not in 3.32.*1*-1. #112 is fixed by
e3dca7d49bf179f98ac114cad9f4d4889f75d90c which was included in 3.33.1.
The fix went as well upstream in 3.32.1.1 and in 3.32.*2*. So I think
found 3.32.1-1 was actually correct, bug it's fixed in the current
version in experimental as 3.32.2-1.
I checked as well by fetching 3.32.1-1 explicitly from snapshots.
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list