Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Jan 2015 07:44:49 +0300
From: Alexander Cherepanov <ch3root@...nwall.com>
To: oss-security@...ts.openwall.com, Solar Designer <solar@...nwall.com>
CC: Paul Pluzhnikov <ppluzhnikov@...il.com>
Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

On 2015-01-30 03:28, Kees Cook wrote:
> On Thu, Jan 29, 2015 at 4:02 PM, Solar Designer <solar@...nwall.com> wrote:
>> Paul, Kees -
>>
>> On Thu, Jan 29, 2015 at 08:00:48AM -0800, Paul Pluzhnikov wrote:
>>> On Thu, Jan 29, 2015 at 4:09 AM, Hanno B??ck <hanno@...eck.de> wrote:
>>>> And yes: I'd like people to cry alarm every time they see a buffer
>>>> overflow in glibc or any other core lib.
>>>
>>> What is the appropriate forum to cry alarm on?
>>
>> As a moderator for oss-security, I'd appreciate it if you cry alarm in
>> here.  And if this ever becomes too noisy, that would be an interesting
>> problem to have and we'll find a way to deal with it then. :-)
>>
>>> We are not a distro, and (AFAICT) are not on any of the closed lists.
>>> But maybe we should be.
>>
>> Actually, Chrome OS is listed as a member of linux-distros here:
>>
>> http://oss-security.openwall.org/wiki/mailing-lists/distros
>>
>> and the person subscribed on behalf of Chrome OS is Kees Cook
>> (previously representing Ubuntu).  Given your comment above, we have to
>> double-check whether this is currently correct.  Is Kees Cook currently
>> representing Chrome OS on linux-distros?  If so, why were you not aware
>> of that?  (I think this is unrelated to the handling of GHOST, but since
>> this was brought up we just have to deal with it as well.)
>
> I'm representing Chrome OS on linux-distros, yes. As for GHOST, I
> wasn't aware of the issue when it was fixed back in April in the
> Chrome OS bug tracker -- it was handled by the package maintainers, it
> seems, and never got escalated, unfortunately.
>
> -Kees

I cannot help but ask: is 
https://code.google.com/p/chromium/issues/detail?id=364511#c9 from you? 
(Sorry, I see only a partial email address there, and I cannot expand it 
for some reason.) Was it automated then?

https://code.google.com/p/chromium/issues/detail?id=364511#c10 is from 
Tim Willis and he is from the Chrome security team, right? I'm not sure 
what you mean by "escalated" but comments #10 and #14 show that the 
Chrome security team can catch relevant issues itself (which is nice).

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ