guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates

From: Ludovic Courtès
Subject: Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates
Date: Mon, 10 Oct 2016 22:57:47 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) 
Hello!

Leo Famulari <address@hidden> skribis:

> There's a format string vulnerability (with unknown impact) in our dbus:
>
> http://seclists.org/oss-sec/2016/q4/85
>
> Please read that message and the linked bug report.
>
> My understanding of the upsream analysis of the format string
> vulnerability is that only the bus owner can trigger it. So, if the
> vulnerability allows arbitrary code execution, it would mean that root
> could execute arbitrary code via the system bus... not a huge problem.
> But still undesirable.

Yeah, seems hard to exploit.  Apparently even if we’re not using systemd
activations we could be vulnerable, because it’s about how specific
messages are processed, IIUC.

> What do you think? Should we update this on core-updates?

I think so.

> Should we graft it on master?

Unless there are possible ABI incompatibilies, it probably doesn’t hurt
to do that.

Thank you!

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]