On Sun, Apr 18, 2021 at 7:04 PM Salvatore Bonaccorso wrote: > Sure I did as I'm on the team alias as well. Given it looks unlikely > that mesa will fix it (at the moment?) I though/think we should > probably do something on xscreensaver's side in Debian as well. > > Is the sonar screensaver frequently used? How about dropping it > instead? Thinking about it in the last hour this raised to be a > possible option to not expose the bug.
Yes, I think dropping the set_cap is the easy way out of here. sonar will still be visually pleasing, just not so interesting. I don't think we should wait for upstream mesa to fix this, but can't we just patch Debian mesa with getauxval() checks? Since mesa currently does the geteuid check, it seems logical to fix it there also for other situations than sonar. On Sun, Apr 18, 2021 at 7:15 PM Salvatore Bonaccorso wrote: > Another option would be to extract the needed changes from 6.00 > upstream accordingly if the thread in > https://www.openwall.com/lists/oss-security/2021/04/17/1 gives us no > other solutions. Sure, if that is easily backportable we should do it. I haven't looked at it though so I cannot tell. Tormod
