Am Mi., 17. Juni 2026 um 22:49 Uhr schrieb Moritz Mühlenhoff <[email protected]>:
>
> Am Sat, Jun 13, 2026 at 02:50:11AM +0200 schrieb Matthias Klumpp:
> > Hi!
> >
> > I am aware, and the issue will be addressed in some form with the next
> > release. This issue is so incredibly minor though that I wouldn't even
> > have classified it as a security issue (it allows you to figure out if
> > a file exists on the system if you know its exact path, and that's it.
> > All you do is gain a little bit of information about the system).
> >
> > So yeah, will be addressed, but ironically the fix is more dangerous
> > that the issue itself because we may break legitimate usecases if we
> > aren't careful.
>
> If the impact is that limited and if there is a risk of regressions
> we can also simply mark is as being of negligible impact and ignore
> it for released distros.
The impact is basically "figure out if a file exists that you know the
exact path of beforehand". It is information a non-root user shouldn't
have, but can't be exploited for anything else on its own.
The patch should be safe, but I would still give it a week, to see if
there are any issues with Debconf handling in PK. Then it makes sense
to backport, I think.
Cheers,
Matthias
