Bug#955330: iproute2: corrupted output of "altname"
Michael Biebl
biebl at debian.org
Mon Apr 20 15:55:52 BST 2020
Am 20.04.20 um 16:49 schrieb Marc Zyngier:
> On 2020-04-20 12:39, Luca Boccassi wrote:
>> On Mon, 2020-04-20 at 09:29 +0100, Marc Zyngier wrote:
>>> Hi all,
>>>
>>> I just managed to track this down to systemd-udev.
>
> [...]
>
>> You are indeed right, thanks for the analysis.
>>
>> Upstream bug: https://github.com/systemd/systemd/issues/15232
>> Upstream fix: https://github.com/systemd/systemd/pull/15300
>> Introduced by:
>> https://github.com/systemd/systemd/commit/ef1d2c07f9567dfea8a4e012d8779a4ded2d9ae6
>>
>
> Ah, nice one. You'd hope the compiler would scream at that.
>
>> I'll leave it to the systemd maintainers to decide whether to backport
>> a fix or wait for a new release.
>
> Given that this leaks data from a process running as root, and makes
> it visible to unprivileged users, I would say that patching it seems
> to be the sensible course of action.
>
> But this depends on how bullseye is supported security-wise. Maybe it
> doesn't matter as long as nobody puts it in production... ;-)
>
As said, it's already fixed in unstable. Just needs a couple of days
until the package can transition to testing.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20200420/d3eeeb08/attachment-0001.sig>
More information about the Pkg-systemd-maintainers
mailing list