[15:47] <sdeziel> Hello o/, I have a tool that runs as root and `mount -o ro` ISOs retrieved from external sources. I know that comes with a bunch of risks on its own but I'm wondering if there would be some benefits in specifying the fstype to use (`mount -t iso9660 -o ro ...`) to avoid `mount` (or the kernel?) having to (wrongly?) guess the fstype?
[16:08] <mdeslaur> sdeziel: filesystem flaws are common, if you specify it, you make sure someone isn't trying to exploit a known vulnerability in some arbitrary filesystem
[16:09] <sdeziel> mdeslaur: thanks!
[16:09] <mdeslaur> I guess that would reduce exposure a bit
[16:38] <JanC> in some cases, it might also be useful to mount using a FUSE implementation of the FS
[16:38] <JanC> and/or in a VM
[17:17] <sdeziel> true, thanks as well!
[18:05] <sarnold> doesn't red hat have a tool that does basically that 'mount it in a VM and use fuse' trick?
[18:05] <sarnold> I'm sure i'll think of the name eventually
[18:40] <UnivrslSuprBox> I believe https://ubuntu.com/security/CVE-2022-47015 should be marked as affecting mariadb-10.6 and mariadb-10.5 as well, unless you all have information that the public doesn't
[18:40] -ubottu:#ubuntu-security- MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47015>
[18:42] <mdeslaur> UnivrslSuprBox: thanks, I'll fix it in a minute
[19:05] <UnivrslSuprBox> https://jira.mariadb.org/browse/MDEV-29644 has the fix versions, of course I know that Ubuntu could have pulled a fix in via d/patches and haven't checked if such a thing has occurred.
[19:06] <rbasak> FWIW, you can check the "applied" git-ubuntu branches to quickly spot in a web browser if a patch looks like it has been applied
[19:12] <UnivrslSuprBox> The CVE isn't mentioned in the 10.6 changelog in any Ubuntu version, at least, and the Ubuntu version is behind upstream's official "fixed release"s
[19:19] <sdeziel> sarnold: https://www.libguestfs.org/ maybe?
[19:19] <sarnold> sdeziel: YEAH! That's the thing :D
[19:20] <sarnold> re mariadb, we basically just publish what otto puts together for sponsoring
[19:20] <sarnold> he probably prefers to focus on newer releases
[19:20] <sarnold> most upstreams do :)
[19:22] <UnivrslSuprBox> Yep, all good sarnold, someone over here just raised it as missing data on the security tracker
[19:23] <sarnold> UnivrslSuprBox: yeah, definitely good find there :) it's not great that we're not doing a better job keeping up on it, but we absolutely should have accurate data about it
[19:24] <UnivrslSuprBox> Is the data public in any way so packagers or community members could propose updates with cited sources?
[19:25] <sarnold> yeah, it's all backed by a git repo https://git.launchpad.net/ubuntu-cve-tracker/tree/
[19:29] <UnivrslSuprBox> ooo, that's excellent