Bug#776616: unblock: fso stack

To: Sebastian Reichel <sre@debian.org>, 776616@bugs.debian.org
Cc: Niels Thykier <niels@thykier.net>
Subject: Bug#776616: unblock: fso stack
From: Simon McVittie <smcv@debian.org>
Date: Sun, 1 Feb 2015 12:11:02 +0100
Message-id: <[🔎] 20150201111055.GA22543@reptile.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 776616@bugs.debian.org
In-reply-to: <[🔎] 20150201103156.GA19790@earth.universe>
References: <20150130003705.11310.82605.reportbug@earth.universe> <54CDF0B6.30304@thykier.net> <[🔎] 20150201103156.GA19790@earth.universe>

On Sun, 01 Feb 2015 at 11:31:58 +0100, Sebastian Reichel wrote:
> On Sun, Feb 01, 2015 at 10:24:06AM +0100, Niels Thykier wrote:
> > This package has a few changes that do not follow the described pattern:
> 
> Ah right, I forgot to mention those. Basically upstream data looks a
> bit different for those lines, so the patch pattern also changes.

I am an upstream and Debian D-Bus maintainer, and the reporter of
CVE-2014-8156. If Sebastian's changes for jessie match the ones for
wheezy that are attached to #776617, then I confirm that they are
reasonable patterns to address CVE-2014-8156.

I do not know enough about fso to know whether they will cause fso
to regress (disallowing more than they should) or whether they are
sufficient to make fso *itself* secure against malicious local users
(which is probably not a supported use-case anyway), but they do stop
fso from making *other things* insecure.

In particular, nothing seems to be allowed that was not already allowed.

Regards,
    S

Reply to:

References:
- Bug#776616: unblock: fso stack
  - From: Sebastian Reichel <sre@debian.org>

Prev by Date: Bug#776616: unblock: fso stack
Next by Date: Bug#776732: marked as done (unblock: spamassassin/3.4.0-6)
Previous by thread: Bug#776616: unblock: fso stack
Next by thread: Bug#776732: marked as done (unblock: spamassassin/3.4.0-6)
Index(es):
- Date
- Thread