Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 Jun 2014 14:06:55 -0700
From: Alex Gaynor <alex.gaynor@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE for library bug that requires application participation

Hi all,

David Reid, Glyph Lefkowitz, and myself discovered a bug in glibc (
https://sourceware.org/bugzilla/show_bug.cgi?id=17048) which can, in
conjunction with many common memory management techniques from an
application (read: we hit this issue repeatedly developing our Python
application), lead to a use after free, or other vulnerabilities.

Is it within policy to issue a CVE for glibc in a case like this?

Thanks to the Red Hat security team for assisting in triaging this and
working with the Glibc maintainers.

Thanks,
Alex

-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ