Control: tag -1 - moreinfo Hi, Samuel Thibault <sthibault@debian.org> (2018-08-17): > Adam D. Barratt, le ven. 17 août 2018 16:18:05 +0100, a ecrit: > > On Wed, 2018-08-01 at 19:09 +0200, Samuel Thibault wrote: > > > The story is that the policykit-1 package was patched in unstable > > > with 0.115/Fix-CVE-2018-1116-Trusting-client-supplied-UID.patch > > > to fix a CVE, and we have noticed that it completely breaks polkit > > > authentication in brlapi, which means that braille does not work in > > > graphical sessions, reported as bug #905058. This is actually due to > > > a misuse of the polkit API in brltty, which only got to pose problem > > > with the addition of that policykit patch. A brltty fix has been > > > uploaded to unstable so the issue is fixed there. policykit > > > maintainers however plan to upload their patch to stretch, so we need > > > to upload the brltty fix in stretch too. > > > > Thanks for fixing this. As brltty produces a udeb, this needs a KiBi- > > ack; tagged and CCing accordingly. > > Well, the brltty udeb doesn't contain polkit support, so it should be a > no-op, but better have KiBi aware of the new version indeed :) This looked like a case where I could toy with diffoscope to verify this claim (well, I'm not doubting you, really), and it seems that there's only a timestamp change (along with the build ID, obviously) in the sbin/brltty binary. No objections, thanks. Cheers, -- Cyril Brulebois (kibi@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
Attachment:
signature.asc
Description: PGP signature