Date: Thu, 29 Jan 2015 16:28:06 -0800 From: Kees Cook <keescook@...omium.org> To: Solar Designer <solar@...nwall.com> Cc: Paul Pluzhnikov <ppluzhnikov@...il.com>, oss-security@...ts.openwall.com Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) On Thu, Jan 29, 2015 at 4:02 PM, Solar Designer <solar@...nwall.com> wrote: > Paul, Kees - > > On Thu, Jan 29, 2015 at 08:00:48AM -0800, Paul Pluzhnikov wrote: >> On Thu, Jan 29, 2015 at 4:09 AM, Hanno B??ck <hanno@...eck.de> wrote: >> > And yes: I'd like people to cry alarm every time they see a buffer >> > overflow in glibc or any other core lib. >> >> What is the appropriate forum to cry alarm on? > > As a moderator for oss-security, I'd appreciate it if you cry alarm in > here. And if this ever becomes too noisy, that would be an interesting > problem to have and we'll find a way to deal with it then. :-) > >> We are not a distro, and (AFAICT) are not on any of the closed lists. >> But maybe we should be. > > Actually, Chrome OS is listed as a member of linux-distros here: > > http://oss-security.openwall.org/wiki/mailing-lists/distros > > and the person subscribed on behalf of Chrome OS is Kees Cook > (previously representing Ubuntu). Given your comment above, we have to > double-check whether this is currently correct. Is Kees Cook currently > representing Chrome OS on linux-distros? If so, why were you not aware > of that? (I think this is unrelated to the handling of GHOST, but since > this was brought up we just have to deal with it as well.) I'm representing Chrome OS on linux-distros, yes. As for GHOST, I wasn't aware of the issue when it was fixed back in April in the Chrome OS bug tracker -- it was handled by the package maintainers, it seems, and never got escalated, unfortunately. -Kees -- Kees Cook Chrome OS Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ