CVE-2023-3297 (https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024182): In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process. I'm not certain that we're affected, the advisory mentioned that the vulnerability can be exploited via an Ubuntu patch but I'm not sure if it's reachable elsewhere.
The upstream Ubuntu bug has been resolved as fixed with only changes to the specific patch. We don't carry that patch so this vulnerability does not apply to us. @ajak: do you want to double-check this, or can I close this bug?
Hm, the original report says "This is done incorrectly in several places in accountsservice. For example, [in the patch]", which would lead me to think that there's multiple instances of this problem in various places throughout accountsservice, rather than exclusively in the patch. But it seems Ubuntu only patched the patch, so I'm happy following them on that.
