[Pkg-utopia-maintainers] Bug#1013343: dbus-broker: CVE-2022-31212

Wed Jun 22 22:48:02 BST 2022

On Wed, 22 Jun 2022 20:06:14 +0100 Luca Boccassi <bluca at debian.org>
wrote:
> Control: found -1 26-1
> 
> On Wed, 22 Jun 2022 20:53:50 +0200 Salvatore Bonaccorso
> <carnil at debian.org> wrote:
> > Hi,
> > 
> > On Wed, Jun 22, 2022 at 07:26:57PM +0100, Luca Boccassi wrote:
> > > Control: fixed -1 31-1
> > > 
> > > On Wed, 22 Jun 2022 11:36:32 +0200 =?UTF-
> 8?Q?Moritz_M=C3=BChlenhoff?=
> > > <jmm at inutil.org> wrote:
> > > > Source: dbus-broker
> > > > X-Debbugs-CC: team at security.debian.org
> > > > Severity: important
> > > > Tags: security
> > > > 
> > > > Hi,
> > > > 
> > > > The following vulnerability was published for dbus-broker.
> > > > 
> > > > This was assigned CVE-2022-31212:
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=2094718
> > > > 
> > > > If you fix the vulnerability please also make sure to include
the
> > > > CVE (Common Vulnerabilities & Exposures) id in your changelog
> entry.
> > > > 
> > > > For further information see:
> > > > 
> > > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31212
> > > >    
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212
> > > > 
> > > > Please adjust the affected versions in the BTS as needed.
> > > 
> > > This appears to be already fixed in unstable and testing, at
least
> > > according to this message on bugzilla that says v31 includes the
> fix:
> > > 
> > > https://bugzilla.redhat.com/show_bug.cgi?id=2094720#c2
> > > 
> > > Although it is unclear precisely which commit/patch fixed it?
> > 
> > From https://bugzilla.suse.com/show_bug.cgi?id=1200332#c1 I would
say
> > this is the following change:
> > 
> >
>
https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1
> > 
> > and so it should be fixed since dbus-broker/30-1 uploaded to
> unstable.
> 
> Got it - but the vulnerable code is then also present in v26, which
is
> in Bullseye. Do we need a DSA? Otherwise I can just do a proposed-
> updates upload? Or should we ignore it altogether?
> 
> c_shquote_strnspn() is used by various functions in the submodule,
> which eventually chain to c_shquote_parse_argv(), which is used by
> src/launcher/launcher.c to parse the command line arguments on
> invocation.

The backport is trivial, shall I do an upload to bullseye-security?

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20220622/6df6de12/attachment.sig>