Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Jan 2015 16:28:06 -0800
From: Kees Cook <keescook@...omium.org>
To: Solar Designer <solar@...nwall.com>
Cc: Paul Pluzhnikov <ppluzhnikov@...il.com>, oss-security@...ts.openwall.com
Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

On Thu, Jan 29, 2015 at 4:02 PM, Solar Designer <solar@...nwall.com> wrote:
> Paul, Kees -
>
> On Thu, Jan 29, 2015 at 08:00:48AM -0800, Paul Pluzhnikov wrote:
>> On Thu, Jan 29, 2015 at 4:09 AM, Hanno B??ck <hanno@...eck.de> wrote:
>> > And yes: I'd like people to cry alarm every time they see a buffer
>> > overflow in glibc or any other core lib.
>>
>> What is the appropriate forum to cry alarm on?
>
> As a moderator for oss-security, I'd appreciate it if you cry alarm in
> here.  And if this ever becomes too noisy, that would be an interesting
> problem to have and we'll find a way to deal with it then. :-)
>
>> We are not a distro, and (AFAICT) are not on any of the closed lists.
>> But maybe we should be.
>
> Actually, Chrome OS is listed as a member of linux-distros here:
>
> http://oss-security.openwall.org/wiki/mailing-lists/distros
>
> and the person subscribed on behalf of Chrome OS is Kees Cook
> (previously representing Ubuntu).  Given your comment above, we have to
> double-check whether this is currently correct.  Is Kees Cook currently
> representing Chrome OS on linux-distros?  If so, why were you not aware
> of that?  (I think this is unrelated to the handling of GHOST, but since
> this was brought up we just have to deal with it as well.)

I'm representing Chrome OS on linux-distros, yes. As for GHOST, I
wasn't aware of the issue when it was fixed back in April in the
Chrome OS bug tracker -- it was handled by the package maintainers, it
seems, and never got escalated, unfortunately.

-Kees

-- 
Kees Cook
Chrome OS Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ