Am 20.04.20 um 16:49 schrieb Marc Zyngier: > On 2020-04-20 12:39, Luca Boccassi wrote: >> On Mon, 2020-04-20 at 09:29 +0100, Marc Zyngier wrote: >>> Hi all, >>> >>> I just managed to track this down to systemd-udev. > > [...] > >> You are indeed right, thanks for the analysis. >> >> Upstream bug: https://github.com/systemd/systemd/issues/15232 >> Upstream fix: https://github.com/systemd/systemd/pull/15300 >> Introduced by: >> https://github.com/systemd/systemd/commit/ef1d2c07f9567dfea8a4e012d8779a4ded2d9ae6 >> > > Ah, nice one. You'd hope the compiler would scream at that. > >> I'll leave it to the systemd maintainers to decide whether to backport >> a fix or wait for a new release. > > Given that this leaks data from a process running as root, and makes > it visible to unprivileged users, I would say that patching it seems > to be the sensible course of action. > > But this depends on how bullseye is supported security-wise. Maybe it > doesn't matter as long as nobody puts it in production... ;-) >
As said, it's already fixed in unstable. Just needs a couple of days until the package can transition to testing.
signature.asc
Description: OpenPGP digital signature
