[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2016-6131 binutils, gdb, valgrind etc.

On 06.07.2016 09:38, Brian May wrote:
> Markus Koschany <apo@debian.org> writes:
>> In my opinion CVE-2016-6131 is not a security issue and in this case we
>> should mark it as no-dsa. I did the same for all of the newly reported
>> CVEs last week. In general gdb and valgrind are development tools and
>> I'm sure there are numerous ways to craft a special executable that can
>> make these tools crash. You won't find the circumstances in a production
>> environment though, so I'm all for removing the packages from
>> dla-needed.txt until there is a real security issue. The security team
>> and others seem to agree. [1][2]
> I have a build of binutils for all pending CVEs except CVE-2016-4491,
> which I did not apply due to the code being very different - which could
> mean that the CVE doesn't apply to the wheezy version. The debdiff is
> applied. I haven't tested yet, was about to do that today.
> Are you saying I should not worry about uploading my package at this
> point in time?

In this specific case I wouldn't do it because of the reasons I have
mentioned before but more input from others is welcome. If we decide to
fix these issues we also need to take care of valgrind, nescc,
libiberty, ht, gdb, gcc-h8300-hms and binutils-h8300-hms. Otherwise it
would be rather inconsistent.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: