Bug#955330: iproute2: corrupted output of "altname"
Marc Zyngier
maz at kernel.org
Mon Apr 20 15:49:21 BST 2020
On 2020-04-20 12:39, Luca Boccassi wrote:
> On Mon, 2020-04-20 at 09:29 +0100, Marc Zyngier wrote:
>> Hi all,
>>
>> I just managed to track this down to systemd-udev.
[...]
> You are indeed right, thanks for the analysis.
>
> Upstream bug: https://github.com/systemd/systemd/issues/15232
> Upstream fix: https://github.com/systemd/systemd/pull/15300
> Introduced by:
> https://github.com/systemd/systemd/commit/ef1d2c07f9567dfea8a4e012d8779a4ded2d9ae6
Ah, nice one. You'd hope the compiler would scream at that.
> I'll leave it to the systemd maintainers to decide whether to backport
> a fix or wait for a new release.
Given that this leaks data from a process running as root, and makes
it visible to unprivileged users, I would say that patching it seems
to be the sensible course of action.
But this depends on how bullseye is supported security-wise. Maybe it
doesn't matter as long as nobody puts it in production... ;-)
Thanks,
M.
--
Jazz is not dead. It just smells funny...
More information about the Pkg-systemd-maintainers
mailing list