Hi Mark, and thanks for the heads-up, CC'ing the LTS mailing list for visibility. BCC'ing debian-devel.
El 19/12/24 a las 17:50, Mark Hindley escribió: > Hello, > > I recently completed salvaging of src:ucf[1]. > > As part of code cleanup I discovered a variable inherited from the environment > which is then passed to eval[2]. Unintended code execution is trivial to > demonstrate. To my mind, this is a coding oversight. As the patch in #1089015 > shows, the fix is simple and obvious. But I want to be sure that nobody is > using > inheritance of this variable as an undocumented 'feature' before merging the > suggested patch. > > The Security Team have already been consulted and are content for this to be > handled through stable-pu. > > For completeness, unstable and testing are no longer affected as virtually all > uses of eval have been removed. > > Thanks > > Mark > > [1] https://bugs.debian.org/1086847 > > [2] https://bugs.debian.org/1089015 > There are not point releases for the LTS release, so if this warrants an fix, it should be done via a DLA. Emilio, since you are FD this week, would you mind taking a look at this? Cheers, -- Santiago
signature.asc
Description: PGP signature
