[Pkg-utopia-maintainers] Bug#1013343: dbus-broker: CVE-2022-31212

Luca Boccassi bluca at debian.org
Thu Jun 23 11:35:10 BST 2022


On Thu, 2022-06-23 at 07:24 +0200, Salvatore Bonaccorso wrote:
> Hi Luca,
> 
> On Wed, Jun 22, 2022 at 08:06:14PM +0100, Luca Boccassi wrote:
> > Control: found -1 26-1
> > 
> > On Wed, 22 Jun 2022 20:53:50 +0200 Salvatore Bonaccorso
> > <carnil at debian.org> wrote:
> > > Hi,
> > > 
> > > On Wed, Jun 22, 2022 at 07:26:57PM +0100, Luca Boccassi wrote:
> > > > Control: fixed -1 31-1
> > > > 
> > > > On Wed, 22 Jun 2022 11:36:32 +0200 =?UTF-
> > 8?Q?Moritz_M=C3=BChlenhoff?=
> > > > <jmm at inutil.org> wrote:
> > > > > Source: dbus-broker
> > > > > X-Debbugs-CC: team at security.debian.org
> > > > > Severity: important
> > > > > Tags: security
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > The following vulnerability was published for dbus-broker.
> > > > > 
> > > > > This was assigned CVE-2022-31212:
> > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2094718
> > > > > 
> > > > > If you fix the vulnerability please also make sure to include the
> > > > > CVE (Common Vulnerabilities & Exposures) id in your changelog
> > entry.
> > > > > 
> > > > > For further information see:
> > > > > 
> > > > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31212
> > > > > ???????? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212
> > > > > 
> > > > > Please adjust the affected versions in the BTS as needed.
> > > > 
> > > > This appears to be already fixed in unstable and testing, at least
> > > > according to this message on bugzilla that says v31 includes the
> > fix:
> > > > 
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=2094720#c2
> > > > 
> > > > Although it is unclear precisely which commit/patch fixed it?
> > > 
> > > From https://bugzilla.suse.com/show_bug.cgi?id=1200332#c1??I would say
> > > this is the following change:
> > > 
> > > 
> > https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1
> > > 
> > > and so it should be fixed since dbus-broker/30-1 uploaded to
> > unstable.
> > 
> > Got it - but the vulnerable code is then also present in v26, which is
> > in Bullseye. Do we need a DSA? Otherwise I can just do a proposed-
> > updates upload? Or should we ignore it altogether?
> > 
> > c_shquote_strnspn() is used by various functions in the submodule,
> > which eventually chain to c_shquote_parse_argv(), which is used by
> > src/launcher/launcher.c to parse the command line arguments on
> > invocation.
> > 
> > Given the command line arguments are fixed in the unit files, it seems
> > to me it requires elevated privileges to exploit, so severity seems
> > minor at worst to me.
> 
> Gut feeling, to me this looks something which can be fixed in the
> upcoming point release but would not need a DSA. Will leave the final
> decision on it though to Moritz.
> 
> Salvatore

Ok, given it's never been uploaded to p-u before we need pre-auth by
the Release Team, so I got a head start and filed a bug to request it.
Will wait for Moritz before doing an actual upload.

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20220623/728678ed/attachment.sig>


More information about the Pkg-utopia-maintainers mailing list