[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fixes for CVE-2020-13696 (#962221)

On Wed, Jul 08, 2020 at 09:07:25AM +0100, Jeremy Sowden wrote:
> The new upstream release added extra checks to ensure that the object at
> the end of the path is a device file of the right sort before opening
> it:
> However, the error messages still leak information, allowing the user to
> test for the existence of arbitrary files:
> The patch changes the error messages to prevent this:

Oh, I think I understand now.  So I reckon with the extra patch this CVE
is fixed.

I'm going to upload this soon :)

                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
More about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature

Reply to: