[Secure-testing-commits] r14061 - in data: . CVE
Nico Golde
debian-secure-testing+ml at ngolde.de
Mon Feb 8 22:38:15 UTC 2010
Hey,
* Michael Gilbert <michael.s.gilbert at gmail.com> [2010-02-08 22:02]:
> On Mon, 8 Feb 2010 17:48:02 +0000, Moritz Muehlenhoff wrote:
> > Author: jmm-guest
> > Date: 2010-02-08 17:48:00 +0000 (Mon, 08 Feb 2010)
> > New Revision: 14061
> >
> > Modified:
> > data/CVE/list
> > data/embedded-code-copies
> > Log:
> > - bzr code copies fixed
> > - glibc issue not a vulnerability
>
> please explain why this is not an issue. it adds additional protection
> from memory corruption; making it harder to introduce malicious code.
>
> even if you consider it a security hardening feature, then it is still a
> security issue. you could mark it unimportant, and make a note about
> that, but removing it is not right.
We track security issues, not hardening features. I'm also not sure if this
will even get a CVE id. If there is an issue, it's in the application, not in
the glibc and so I don't even think we should track it. The house of mind is
no vulnerability but a trick to bypass certain glibc restrictions when
exploiting heap overflows. We also aren't tracking kernels that have
randomize_va_space not set to 1 per default as vulnerabilities and that makes
well sense.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20100208/82c85a92/attachment.pgp>
More information about the Secure-testing-commits
mailing list