- Package:
- src:dbus-broker
- Source:
- dbus-broker
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2022-07-01 15:36:11 UTC
- Severity:
- important
- Tags:
Hi, The following vulnerability was published for dbus-broker. This was assigned CVE-2022-31212: https://bugzilla.redhat.com/show_bug.cgi?id=2094718 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31212 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212 Please adjust the affected versions in the BTS as needed.
Control: fixed -1 31-1 This appears to be already fixed in unstable and testing, at least according to this message on bugzilla that says v31 includes the fix: https://bugzilla.redhat.com/show_bug.cgi?id=2094720#c2 Although it is unclear precisely which commit/patch fixed it?
Hi, From https://bugzilla.suse.com/show_bug.cgi?id=1200332#c1 I would say this is the following change: https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1 and so it should be fixed since dbus-broker/30-1 uploaded to unstable. Regards, Salvatore
On Wed, 22 Jun 2022 20:53:50 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote: 8?Q?Moritz_M=C3=BChlenhoff?= entry. fix: https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1 unstable. Got it - but the vulnerable code is then also present in v26, which is in Bullseye. Do we need a DSA? Otherwise I can just do a proposed- updates upload? Or should we ignore it altogether? c_shquote_strnspn() is used by various functions in the submodule, which eventually chain to c_shquote_parse_argv(), which is used by src/launcher/launcher.c to parse the command line arguments on invocation. Given the command line arguments are fixed in the unit files, it seems to me it requires elevated privileges to exploit, so severity seems minor at worst to me.
On Wed, 22 Jun 2022 20:06:14 +0100 Luca Boccassi <bluca@debian.org> wrote: the https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212 least say https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1 is The backport is trivial, shall I do an upload to bullseye-security?
Hi Luca, Gut feeling, to me this looks something which can be fixed in the upcoming point release but would not need a DSA. Will leave the final decision on it though to Moritz. Salvatore
Ok, given it's never been uploaded to p-u before we need pre-auth by the Release Team, so I got a head start and filed a bug to request it. Will wait for Moritz before doing an actual upload.
Agreed, I don't think we need a DSA here, this is merely a crash and
I'm not even sure this crosses any reasonable trustr boundary, if
service definitions with untrusted Exec statements are in use, this
is probably the lesser of worries...
Cheers,
Moritz
We believe that the bug you reported is fixed in the latest version of
dbus-broker, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1013343@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luca Boccassi <bluca@debian.org> (supplier of updated dbus-broker package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 22 Jun 2022 22:27:17 +0100
Source: dbus-broker
Architecture: source
Version: 26-1+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Luca Boccassi <bluca@debian.org>
Changed-By: Luca Boccassi <bluca@debian.org>
Closes: 1013343
Changes:
dbus-broker (26-1+deb11u1) bullseye; urgency=medium
.
* Backport strnspn-fix-buffer-overflow.patch to fix CVE-2022-31212
(Closes: #1013343)
Checksums-Sha1:
e4c426ce7d3e95a3d8892f00d455d070f56def0d 2241 dbus-broker_26-1+deb11u1.dsc
c2403ea6ab9cb43cdda81e2505d6994ac6bedc8a 6540 dbus-broker_26-1+deb11u1.debian.tar.xz
6b1599911b64bd6aaa552da63b5f95f148843ce2 8759 dbus-broker_26-1+deb11u1_source.buildinfo
Checksums-Sha256:
31234ae86f8c9ca29a2541b2b76e8f3cbd8812bb9da99b7e0d0d17d016dc7216 2241 dbus-broker_26-1+deb11u1.dsc
1d911857a868bc66c755f458360cab09fbe723e24ff02c48c61e6573fc54ed1a 6540 dbus-broker_26-1+deb11u1.debian.tar.xz
02ed63651a9283d6e39d16c8e55cd317f282d6804bebf6c45f30dd93cef8c8b0 8759 dbus-broker_26-1+deb11u1_source.buildinfo
Files:
bb950c6165983af8cd3520695afa3433 2241 admin optional dbus-broker_26-1+deb11u1.dsc
65cf9285d174027d1c37fa3e7d187a78 6540 admin optional dbus-broker_26-1+deb11u1.debian.tar.xz
04f63759151221df2124405ddf6e7185 8759 admin optional dbus-broker_26-1+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEErCSqx93EIPGOymuRKGv37813JB4FAmK4sYURHGJsdWNhQGRl
Ymlhbi5vcmcACgkQKGv37813JB6EFQ//XJ9TXBD0oZ6CLqz5eLG+JaenfTUpDr/V
+EB7BgFP/zR24A+FoYBy3BwuzeKN1CZiNb715K5AT8oisfPDD9j8M3M9RwWKN5xg
ZwQXpZ0kFgzsWLyonZDJKNnt4Wz6DtQ8b3bwlQ4pxqQeQuLSO7ld5R+v642vADsg
BivcozrnhtHCj98rcVdMLqBlV8tHijMBvJ37RWJFeovZOL//J5AtUu/rmPuolX4t
TQYSTNSIYoUUd3aftk7WFUsidHHMj4pawPJek2fcI/qoCb3n2t/Y8IgzJJpcFbja
xXAs3cgYHRh/+o8opr4454Ow7AKSZezOg/fDCB/c6HNRbuwzQYIOaUc9tyTGxaBT
QDxRryYRrbHfPHKioW7Mxlk08YC7j8nVenjc4Gzv2cEZtOF6mXwTYmzVZbR7Y8+W
+w7up7KKmXRhZcINki7usmha6L4qPa8Tgi5BFB9tHl+JYM0/SMcHIa3qImS9ADN6
JAHreCR/Gv5lvmL9BE2QM+t61sPqLBms+m5dvOyX7oUeNPst9SlFPbK8asx8TBxW
svk2d1fEFa8EMw+k5gw4VnFzdYeDeuP9awqUG/2q7KTOxZRUKSVTxaXINdobK5ys
Lxin9N7xP3mJ9bOn0zlz2TKSfX5zQopU4XwkBkojS2U+tiEsDiEgBggAP7uj0r4G
GbhXrTObr/0=
=70zp
-----END PGP SIGNATURE-----