libqb / CVE-2019-12779
The upstream patch patches "c->description" which is not used in
Jessie. OK, so probably not vulnerable.
Looking at data/dla-needed.txt:
libqb
NOTE: 20190616: Upstream patch does not apply at all, but it appears that
NOTE: 20190616: package is still vulnerable in ipc_posix_mq.c etc. or
NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby)
OK, Good point. However these files are opened with posix_mq_create,
which uses O_EXCL - my understanding is that this means these functions
are not vulnerable to symlink attacks, etc.
However lib/ipc_shm.c has calls to qb_rb_open, which doesn't have
O_EXCL, thinking this might be a vulnerability.
lib/log_blackbox.c looks similar.
qb_rb_open calls qb_sys_mmap_file_open which in turn calls
open_mmap_file which can support calling mkstemp to generate the
filename, however I think this isn't getting used (no XXXXXX in filename
string), so vulnerable still.
If you want to look at libqb probably worth double checking this in case
I got something wrong/confused :-)
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Reply to: