On Tue, 22 Nov 2016, Ola Lundqvist wrote:
> All of them are related to heap overflow that "can potentially cause
> arbitrary code exection".
> This is a security problem, but the question is how important it is.
> The crash is a DoS problem, but my guess that from that perspective the
> worst thing that will happen is that the person opening the file will be a
> little upset and blame the person sending the file.
We're speaking of a library, you don't know how the library is used
by our users (outside of Debian packages). And even in Debian it's hard to
investigate how it's used everywhere.
Thus I would think twice before deciding to tag this no-dsa.
> I do however think that this is less of an issue as files are not loaded
> automatically (my assumption), but rather by a person who get a file from a
> hopefully rather trusted source.
I would not do this assumption.
> Also I have in other discussions got the impression that gcc nowadays have
> some kind of heap protection that prevent overwrite of data causing
> arbitrary code execution. I may be wrong however.
Looking at hdf5 in wheezy, I don't see any hardening feature enabled. I
wonder where you saw that gcc has such protections by default in Debian.
> All in all I'm leaning towards marking these as no-dsa, but I would like
> your advice before doing so.
I would not mark them no-dsa.
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/
Learn to master Debian: http://debian-handbook.info/