Date: Thu, 15 Sep 2016 16:51:26 -0400 From: Jeffrey Walton <noloader@...il.com> To: oss-security@...ts.openwall.com Subject: Does a documentation bug elevate to CVE status? Hi Everyone, Please forgive my ignorance and hair splitting. We were talking with the Debian Security Team and FW alerted us to a gap in our documentation. The gap is simple: we handle sensitive information and did not tell users that they must define -DNDEBUG when using alternate build systems, like Autotools or CMake. The project's supported build system, [GNU] Make, adds the define. The higher level concern is assert is a debugging and diagnostic aide that eventually raises a SIGABRT. We use them for debugging and diagnostics for development. During production, the assert is expected to be removed with NDEBUG and a C++ throw() follows. If the assert is _not_ removed, then machinery could engage that egresses the sensitive information to the file system (core files and the like). On some platforms, like Ubuntu with Apport, Apple with CrashReporter, and Windows with Windows Error Reporting, the sensitive information is egressed to a third party (multiple; the platform provider and the developer). We know entities like Apple, Google, Microsoft and app developers receive the information; see for example, the comment at https://github.com/weidai11/cryptopp/pull/172#issuecomment-218705068. So my question is, does a documentation bug elevate to CVE status? Thanks in advance, Jeff
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.