Comment 2 for bug 2048092

@ahasenack - thanks for asking these questions.

I do know of a user rebuilding jammy's util-linux. The build recipe I've seen installs these binaries. I don't know the risk that they might become setuid. This CVE I noticed as being fixed in a later version of util-linux, but not in jammy. I then looked it up in our CVE tracker and saw why we had chosen not to patch it.

To verify that the code inside is not used, I used inotifywait during the build to watch for processes opening these .c files. Each file is opened exactly twice - both times during the dh-autoreconf phase, where it collects a checksum before and after using md5sum. Neither file is opened again.