Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 4 Sep 2014 20:46:30 -0400
From: Rich Felker <dalias@...c.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: heap overflow in procmail

On Wed, Sep 03, 2014 at 09:44:12PM -0700, Tavis Ormandy wrote:
> Rich Felker <dalias@...c.org> wrote:
> > 
> > Unless I'm misunderstanding your report, the problem is in the formail
> > utility which comes with procmail, not procmail itself. This should be
> > clarified in the title of the vuln, perhaps as "heap overflow in
> > procmail's formail utility" rather than "heap overflow in procmail".
> 
> I'm not sure what "title" you mean, are you referring to my email subject?
> If you are, I think "<problem> in <package>" is pretty reasonable, but
> perhaps this is subjective (hah!).

Yes, the email subject. "<problem> in <package>" seems reasonable,
but when <package> is also the name of the main program in <package>,
and the actual vuln is in a secondary program included with it, I
think it's confusing. I'm not sure what percentage of procmail users
also use formail along with it, but in general, there will be cases
where <package> is extremely widely used but the program with the
actual vulnerability of is obscure and mostly unused.

Rich

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ