[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: unzip CVE-2019-13232

On 03/08/2019 14:05, Markus Koschany wrote:
> Am 03.08.19 um 10:55 schrieb Sylvain Beucler:
> [...]
>> When an early fix is more likely to introduce regressions than protect
>> users from real-world attacks, don't we mark it as 'postponed'?
> We only postpone a fix if there is a minor issue and it is not worth
> fixing via a standalone update. Every fix has in theory the potential to
> introduce a regression because we change something. The answer can't be
> to stop fixing bugs but to evaluate the possible impact of a change and
> if necessary correct the patch in another step. If the risk of a
> regression outweighs the benefit of a fix we usually mark the CVE as
> "ignored", e.g. when upstream introduces a new security option that
> requires a lot of code refactoring but only improves the security for
> non-default setups in rather uncommon scenarios.

That was more addressed at security-team@, I was just going your way to
say that marking zip-bomb 'unimportant' just because it was likely to
introduce important regressions conveyed the wrong message.

- Sylvain
Reply to: