[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2016-6131 binutils, gdb, valgrind etc.

Hi folks,

I saw that Chris added a couple of packages to dla-needed.txt and Brian
already claimed binutils.

In my opinion CVE-2016-6131 is not a security issue and in this case we
should mark it as no-dsa. I did the same for all of the newly reported
CVEs last week. In general gdb and valgrind are development tools and
I'm sure there are numerous ways to craft a special executable that can
make these tools crash. You won't find the circumstances in a production
environment though, so I'm all for removing the packages from
dla-needed.txt until there is a real security issue. The security team
and others seem to agree. [1][2]



[1] https://security-tracker.debian.org/tracker/source-package/binutils
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6131

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: