From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates Date: Mon, 10 Oct 2016 22:57:47 +0200 Message-ID: <87wphfgbw4.fsf@gnu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41828) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bthdy-0001GD-Cz for guix-devel@gnu.org; Mon, 10 Oct 2016 16:57:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bthdv-0005if-76 for guix-devel@gnu.org; Mon, 10 Oct 2016 16:57:54 -0400 In-Reply-To: (Leo Famulari's message of "Mon, 10 Oct 2016 13:44:16 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Hello! Leo Famulari skribis: > There's a format string vulnerability (with unknown impact) in our dbus: > > http://seclists.org/oss-sec/2016/q4/85 > > Please read that message and the linked bug report. > > My understanding of the upsream analysis of the format string > vulnerability is that only the bus owner can trigger it. So, if the > vulnerability allows arbitrary code execution, it would mean that root > could execute arbitrary code via the system bus... not a huge problem. > But still undesirable. Yeah, seems hard to exploit. Apparently even if we=E2=80=99re not using sy= stemd activations we could be vulnerable, because it=E2=80=99s about how specific messages are processed, IIUC. > What do you think? Should we update this on core-updates? I think so. > Should we graft it on master? Unless there are possible ABI incompatibilies, it probably doesn=E2=80=99t = hurt to do that. Thank you! Ludo=E2=80=99.