Query,
What do we mean by “untrusted GVariant input”, I read on a post that dbus will not be affected since it only affects untrusted variant input.
Can anyone maybe help with an example or information to understand better ?
Is it possible to give a much more detailed explanation? As the term “untrusted input” seems
generic.
GVariant is a library API. Application developers can do anything with it. For example, you could design a client/server network API where client applications send GVariants to the server. Concrete example: eos-event-recorder-daemon sends GVariants to azafea-metrics-proxy.
As for D-Bus, I don’t myself understand the impact on D-Bus. Message brokers (dbus-daemon and dbus-broker) do not use GVariant, but GDBus certainly does. However, I do not know whether GDBus is vulnerable or not.
Lastly, reminder: there are more denial of service issues in GVariant, which have not been debugged or even reported yet. These older CVEs are not the last of them.