Date: Wed, 11 Jun 2014 14:06:55 -0700 From: Alex Gaynor <alex.gaynor@...il.com> To: oss-security@...ts.openwall.com Subject: CVE for library bug that requires application participation Hi all, David Reid, Glyph Lefkowitz, and myself discovered a bug in glibc ( https://sourceware.org/bugzilla/show_bug.cgi?id=17048) which can, in conjunction with many common memory management techniques from an application (read: we hit this issue repeatedly developing our Python application), lead to a use after free, or other vulnerabilities. Is it within policy to issue a CVE for glibc in a case like this? Thanks to the Red Hat security team for assisting in triaging this and working with the Glibc maintainers. Thanks, Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ