From the 2.4.0 release notes [0]: """ Security Fix: Check single-word path commands as the user fsugid to avoid that user X use the generator to spy on user Y and see whether a file exist in it's $HOME. """ [0] https://github.com/systemd-cron/systemd-cron/releases/tag/v2.4.0
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9650ada19875e027a46c5ce23dc15555bd0044d0 commit 9650ada19875e027a46c5ce23dc15555bd0044d0 Author: Richard Freeman <rich0@gentoo.org> AuthorDate: 2024-04-30 11:45:05 +0000 Commit: Richard Freeman <rich0@gentoo.org> CommitDate: 2024-04-30 12:51:00 +0000 sys-process/systemd-cron: add 2.4.0 Bug: https://bugs.gentoo.org/930950 Signed-off-by: Richard Freeman <rich0@gentoo.org> sys-process/systemd-cron/Manifest | 1 + sys-process/systemd-cron/systemd-cron-2.4.0.ebuild | 93 ++++++++++++++++++++++ 2 files changed, 94 insertions(+)
(This is a relatively small update, and both the previous version and this one appear to work fine on a stable system. I'm not sure how long we wait to stabilize on relatively minor security updates like this one...)
Given it's a pretty minor vulnerability, I'd give it two weeks or so, personally.
