From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: [PATCH 0/1] Dbus update 1.10.12 for core-updates Date: Mon, 10 Oct 2016 13:44:16 -0400 Message-ID: Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41941) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1btedD-00040J-6S for guix-devel@gnu.org; Mon, 10 Oct 2016 13:44:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bted9-0000X4-5L for guix-devel@gnu.org; Mon, 10 Oct 2016 13:44:55 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:53145) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bted7-0000Sk-SM for guix-devel@gnu.org; Mon, 10 Oct 2016 13:44:51 -0400 Received: from localhost.localdomain (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 0EF1CF29CD for ; Mon, 10 Oct 2016 13:44:41 -0400 (EDT) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org There's a format string vulnerability (with unknown impact) in our dbus: http://seclists.org/oss-sec/2016/q4/85 Please read that message and the linked bug report. My understanding of the upsream analysis of the format string vulnerability is that only the bus owner can trigger it. So, if the vulnerability allows arbitrary code execution, it would mean that root could execute arbitrary code via the system bus... not a huge problem. But still undesirable. What do you think? Should we update this on core-updates? Should we graft it on master? Leo Famulari (1): gnu: dbus: Update to 1.10.12. gnu/packages/glib.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.10.1