On Sun, 01 Feb 2015 at 11:31:58 +0100, Sebastian Reichel wrote: > On Sun, Feb 01, 2015 at 10:24:06AM +0100, Niels Thykier wrote: > > This package has a few changes that do not follow the described pattern: > > Ah right, I forgot to mention those. Basically upstream data looks a > bit different for those lines, so the patch pattern also changes.
I am an upstream and Debian D-Bus maintainer, and the reporter of CVE-2014-8156. If Sebastian's changes for jessie match the ones for wheezy that are attached to #776617, then I confirm that they are reasonable patterns to address CVE-2014-8156. I do not know enough about fso to know whether they will cause fso to regress (disallowing more than they should) or whether they are sufficient to make fso *itself* secure against malicious local users (which is probably not a supported use-case anyway), but they do stop fso from making *other things* insecure. In particular, nothing seems to be allowed that was not already allowed. Regards, S -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org