Together with Niklas Volcz, who reported the vulnerability to us, we agreed to file a CVE record for it and it was assigned a few hours ago. So, Turris OS has its first CVE-2021-3346.
This issue is fixed already, so keep your devices updated!
We will disclose the GitLab issue (turris/foris/foris#201) with detailed description on Monday, February 8th 2021, to give some time for those who use delayed updates feature.
Kudos to Niklas Volcz and his responsible disclosure