On Sun, 01 Feb 2015 at 11:31:58 +0100, Sebastian Reichel wrote:
> On Sun, Feb 01, 2015 at 10:24:06AM +0100, Niels Thykier wrote:
> > This package has a few changes that do not follow the described pattern:
>
> Ah right, I forgot to mention those. Basically upstream data looks a
> bit different for those lines, so the patch pattern also changes.
I am an upstream and Debian D-Bus maintainer, and the reporter of
CVE-2014-8156. If Sebastian's changes for jessie match the ones for
wheezy that are attached to #776617, then I confirm that they are
reasonable patterns to address CVE-2014-8156.
I do not know enough about fso to know whether they will cause fso
to regress (disallowing more than they should) or whether they are
sufficient to make fso *itself* secure against malicious local users
(which is probably not a supported use-case anyway), but they do stop
fso from making *other things* insecure.
In particular, nothing seems to be allowed that was not already allowed.
Regards,
S
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
