Bug#1053881: tracker-miners: CVE-2023-5557

Salvatore Bonaccorso carnil at debian.org
Thu Nov 23 20:05:01 GMT 2023


Hi Jeremy,

On Wed, Nov 22, 2023 at 10:21:47AM -0500, Jeremy Bícha wrote:
> On Fri, Oct 13, 2023 at 9:27 AM Moritz Mühlenhoff <jmm at inutil.org> wrote:
> > Source: tracker-miners
> > X-Debbugs-CC: team at security.debian.org
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerability was published for tracker-miners.
> >
> > CVE-2023-5557[0]:
> > | A flaw was found in the tracker-miners package. A weakness in the
> > | sandbox allows a maliciously-crafted file to execute code outside
> > | the sandbox if the tracker-extract process has first been
> > | compromised by a separate vulnerability.
> 
> Moritz,
> 
> The architecture build issues were fixed in upstream's 3.4.6 release.
> Do you want to do a bookworm security update for this issue?
> 
> The sandbox in tracker-miners 2.x is significantly different and since
> no upstream patches were provided for it, I do not plan to work on
> fixing this for older Debian releases.

The issue itself is no-dsa for tracker-miners but can you (at per
above at least for bookworm) fix the issue with the upcoming point
releases?

Regards,
Salvatore



More information about the pkg-gnome-maintainers mailing list