Re: Local information disclosure in apport and systemd-coredump

[Solar Designer <solar () openwall com>]

Hi,

Regarding the missing patch:

On Tue, Jun 10, 2025 at 07:06:58AM +0000, Zbigniew Jędrzejewski-Szmek wrote:
> On Fri, Jun 06, 2025 at 03:20:27AM +0200, Solar Designer wrote:
> > In your message to linux-distros, you shared these two patches:
> >
> > 0001-coredump-get-rid-of-_META_MANDATORY_MAX.patch
> > 0003-coredump-also-stop-forwarding-non-dumpable-processes.patch
> >
> > So it looks like you omitted patch number 2.  Yet to me that omitted
> > patch would have been the most important part of the fix.  Was this
> > omission inadvertent, or am I missing some reason to skip that patch?
>
> Hmmm, the mail I see here in my mail folder has the middle patch too
> (Message-ID: <aDRxuOl3_j0infhz () kawka3 in waw pl>). I'm not subscribed
> to linux-distros so I didn't see the message as it was received on
> the mailing list.
>
> > I think it's these 3 commits (as they appear in the main branch, and I
> > see equivalent ones are also in v257-stable and v256-stable):
> > commit 8fc7b2a211eb13ef1a94250b28e1c79cab8bdcb9
> > commit 0c49e0049b7665bb7769a13ef346fef92e1ad4d6
> > commit 49f1f2d4a7612bbed5211a73d11d6a94fbe3bb69
>
> Yep, that's correct.
>
> As you can see, we made a bunch of follow-up later on. But those
> three patches are enough to resolve the issue.

Thank you!

I tried investigating what may have happened, and while I do now suspect
it was incorrect processing on the list server, I couldn't identify a
specific cause nor confirm this guess based on the logs.  Re-encrypting
a MIME message is unfortunately non-trivial.

Alexander