Hey! On Mon, Jan 08, 2018 at 06:03:48PM +0100, Markus Koschany wrote: > Hi, > > Am 08.01.2018 um 17:44 schrieb Salvatore Bonaccorso: > [...] > > So the patched files exits, and similar code flow is present. > > > > I explicitly have not looked (yet) at 4.0.2.GA which is in jessie (and > > wheezy), just the 4.3.3 based versions in stable and unstable yet. > > > > What do you miss? > > Oh, I was somehow under the impression all versions were the same. The > getAccessible method is not present in Wheezy/Jessie hence my > conclusion. The version in stable/unstable looks to me like we could > apply the patch.
Ok, thanks a lot for double checking. Again, I'm not sure how pressing the issue is, I'm defering a DSA/no-DSA decision to one of my teammates. Privilege escalation rings some bells obviously. For older versions than 4.3.3, am I right that then the issue is only introduced in ab21ca98fd7814bd014e7d8e03de8640f2529352, "HV-912 Not exposing accessible-made members", which is in 4.3.2.Final~3 or is it more just uncovered there? Regards, Salvatore
