https://bugzilla.novell.com/show_bug.cgi?id=698250 https://bugzilla.novell.com/show_bug.cgi?id=698250#c27 --- Comment #27 from Sebastian Krahmer <krahmer@suse.com> 2011-11-15 13:30:58 UTC --- The fixes look ok to me (if that are all places of the SQL problems; I didnt count them...). The http://www.sqlite.org/c3ref/mprintf.html description is probably a bit incorrect. The call indeed has to double each \, but it also has to take care about '. The description is missing that but the example they give produces the correct result. Beside the SQL injection fix, we need the non-root fix working. If we shipped a colord running as root in this or another way, we probably need to make updates. "org.freedesktop.color-manager.create-device" is allowed for active sessions by users which in turn allows to create device entries with arbitrary device_id which then allows to submit arbitrary SQL statements. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.