On 06.07.2016 09:38, Brian May wrote: > Markus Koschany <apo@debian.org> writes: > >> In my opinion CVE-2016-6131 is not a security issue and in this case we >> should mark it as no-dsa. I did the same for all of the newly reported >> CVEs last week. In general gdb and valgrind are development tools and >> I'm sure there are numerous ways to craft a special executable that can >> make these tools crash. You won't find the circumstances in a production >> environment though, so I'm all for removing the packages from >> dla-needed.txt until there is a real security issue. The security team >> and others seem to agree. [1][2] > > I have a build of binutils for all pending CVEs except CVE-2016-4491, > which I did not apply due to the code being very different - which could > mean that the CVE doesn't apply to the wheezy version. The debdiff is > applied. I haven't tested yet, was about to do that today. > > Are you saying I should not worry about uploading my package at this > point in time? In this specific case I wouldn't do it because of the reasons I have mentioned before but more input from others is welcome. If we decide to fix these issues we also need to take care of valgrind, nescc, libiberty, ht, gdb, gcc-h8300-hms and binutils-h8300-hms. Otherwise it would be rather inconsistent.
Attachment:
signature.asc
Description: OpenPGP digital signature