[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2016-6131 binutils, gdb, valgrind etc.

On 07.07.2016 10:36, Santiago Ruano Rincón wrote:
> El 06/07/16 a las 18:43, Bálint Réczey escribió:
>> Hi,
>> 2016-07-06 18:22 GMT+02:00 Holger Levsen <holger@layer-acht.org>:
>>> On Wed, Jul 06, 2016 at 05:57:43PM +0200, Markus Koschany wrote:
>>>> In this specific case I wouldn't do it because of the reasons I have
>>>> mentioned before but more input from others is welcome. If we decide to
>>>> fix these issues we also need to take care of valgrind, nescc,
>>>> libiberty, ht, gdb, gcc-h8300-hms and binutils-h8300-hms. Otherwise it
>>>> would be rather inconsistent.
>>> I disagree. Perfect is the enemy of good. We have inconsistances in many
>>> places too.
>>> Brians work was useful and should not be lost. It's good to close
>>> "minor" security holes.
>> I agree. Sometimes exploiting a combination of "minor" issues can be
>> combined  to allow more severe attacks. If the fixes are safe, I think they
>> should be released.
> Hi,
> After talking with Salvatore and Guido, we plan to discuss about the
> no-dsa meaning for oldstable during BoF tomorrow. One of the reasons
> for tagging no-dsa minor issues is to handle them via point-releases.
> Since we don't have this in LTS, "minor" issues like those in binutils
> and co, should be handled/fixed earlier in oldstable.
> So, if we have safe fixes, there is no reason to don't release them.
> Of course, everything is issue-specific.

I completely agree with the general statements made in this thread so
far. However my main concern was and still is that that I can't imagine
a real life scenario where those CVEs pose any security risk for
production systems. In case of CVE-2016-6131 I doubt that this even
qualifies as a security issue. So in my opinion these are just normal
bugs and I was inclined to mark them as such. Perhaps "unimportant"
(from a security point of view) would be a better term than "no-dsa" in
this case.

I'm well aware that the security team tags those issues to handle them
via point releases, although I sometimes disagree with their decisions
like for instance marking CVE-2015-3245 and CVE-2015-3246 as no-dsa
although they are both clearly security issues and exploitable by any
user with libuser installed on the system. I think in this case it would
be better to increase the visibility of this fact by announcing a DSA.

Moritz' idea of releasing fixes as bundles via some sort of point
release is worth considering although I think we can be much more
flexible similar to the default-java switch when I uploaded 14 packages
at one day. [1]



[1] https://lists.debian.org/debian-lts-announce/2016/05/msg00007.html

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: