Date: Mon, 14 Mar 2016 13:01:38 -0500 (CDT) From: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: Re: CVE-Request - GNU Awk. On Mon, 14 Mar 2016, Kurt Seifried wrote: > Is a SIGSEGV on it's own enough to justify a CVE? For some apps the answer > would be yes (e.g. a single threaded network service that crashes out). For > something like gawk I'm not so sure, it's a local utility that shouldn't I don't see a security issue here. It is just a bug. In order for it to be a security issue, it needs to be caused by external data input into the program (e.g data processed by the awk script). This would also apply to a network service which has a bug and crashes due to something other than specific external input (e.g. resource leak). Bob -- Bob Friesenhahn bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.