[Pkg-utopia-maintainers] Bug#1013343: dbus-broker: CVE-2022-31212

Luca Boccassi bluca at debian.org
Wed Jun 22 20:06:14 BST 2022 

Control: found -1 26-1

On Wed, 22 Jun 2022 20:53:50 +0200 Salvatore Bonaccorso
<carnil at debian.org> wrote:
> Hi,
> 
> On Wed, Jun 22, 2022 at 07:26:57PM +0100, Luca Boccassi wrote:
> > Control: fixed -1 31-1
> > 
> > On Wed, 22 Jun 2022 11:36:32 +0200 =?UTF-
8?Q?Moritz_M=C3=BChlenhoff?=
> > <jmm at inutil.org> wrote:
> > > Source: dbus-broker
> > > X-Debbugs-CC: team at security.debian.org
> > > Severity: important
> > > Tags: security
> > > 
> > > Hi,
> > > 
> > > The following vulnerability was published for dbus-broker.
> > > 
> > > This was assigned CVE-2022-31212:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=2094718
> > > 
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog
entry.
> > > 
> > > For further information see:
> > > 
> > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31212
> > >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212
> > > 
> > > Please adjust the affected versions in the BTS as needed.
> > 
> > This appears to be already fixed in unstable and testing, at least
> > according to this message on bugzilla that says v31 includes the
fix:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=2094720#c2
> > 
> > Although it is unclear precisely which commit/patch fixed it?
> 
> From https://bugzilla.suse.com/show_bug.cgi?id=1200332#c1 I would say
> this is the following change:
> 
>
https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1
> 
> and so it should be fixed since dbus-broker/30-1 uploaded to
unstable.

Got it - but the vulnerable code is then also present in v26, which is
in Bullseye. Do we need a DSA? Otherwise I can just do a proposed-
updates upload? Or should we ignore it altogether?

c_shquote_strnspn() is used by various functions in the submodule,
which eventually chain to c_shquote_parse_argv(), which is used by
src/launcher/launcher.c to parse the command line arguments on
invocation.

Given the command line arguments are fixed in the unit files, it seems
to me it requires elevated privileges to exploit, so severity seems
minor at worst to me.

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20220622/ba1497bb/attachment.sig>

More information about the Pkg-utopia-maintainers mailing list