Date: Fri, 30 Jan 2015 07:44:49 +0300 From: Alexander Cherepanov <ch3root@...nwall.com> To: oss-security@...ts.openwall.com, Solar Designer <solar@...nwall.com> CC: Paul Pluzhnikov <ppluzhnikov@...il.com> Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) On 2015-01-30 03:28, Kees Cook wrote: > On Thu, Jan 29, 2015 at 4:02 PM, Solar Designer <solar@...nwall.com> wrote: >> Paul, Kees - >> >> On Thu, Jan 29, 2015 at 08:00:48AM -0800, Paul Pluzhnikov wrote: >>> On Thu, Jan 29, 2015 at 4:09 AM, Hanno B??ck <hanno@...eck.de> wrote: >>>> And yes: I'd like people to cry alarm every time they see a buffer >>>> overflow in glibc or any other core lib. >>> >>> What is the appropriate forum to cry alarm on? >> >> As a moderator for oss-security, I'd appreciate it if you cry alarm in >> here. And if this ever becomes too noisy, that would be an interesting >> problem to have and we'll find a way to deal with it then. :-) >> >>> We are not a distro, and (AFAICT) are not on any of the closed lists. >>> But maybe we should be. >> >> Actually, Chrome OS is listed as a member of linux-distros here: >> >> http://oss-security.openwall.org/wiki/mailing-lists/distros >> >> and the person subscribed on behalf of Chrome OS is Kees Cook >> (previously representing Ubuntu). Given your comment above, we have to >> double-check whether this is currently correct. Is Kees Cook currently >> representing Chrome OS on linux-distros? If so, why were you not aware >> of that? (I think this is unrelated to the handling of GHOST, but since >> this was brought up we just have to deal with it as well.) > > I'm representing Chrome OS on linux-distros, yes. As for GHOST, I > wasn't aware of the issue when it was fixed back in April in the > Chrome OS bug tracker -- it was handled by the package maintainers, it > seems, and never got escalated, unfortunately. > > -Kees I cannot help but ask: is https://code.google.com/p/chromium/issues/detail?id=364511#c9 from you? (Sorry, I see only a partial email address there, and I cannot expand it for some reason.) Was it automated then? https://code.google.com/p/chromium/issues/detail?id=364511#c10 is from Tim Willis and he is from the Chrome security team, right? I'm not sure what you mean by "escalated" but comments #10 and #14 show that the Chrome security team can catch relevant issues itself (which is nice). -- Alexander Cherepanov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ