Re: Bug Severity Help

To: debian-mentors@lists.debian.org
Subject: Re: Bug Severity Help
From: Adam Borowski <kilobyte@angband.pl>
Date: Wed, 8 Oct 2014 06:38:50 +0200
Message-id: <[🔎] 20141008043850.GA19749@angband.pl>
In-reply-to: <[🔎] 20141008034052.GC20723@blough.us>
References: <[🔎] 20141007230732.GB20723@blough.us> <[🔎] CAKTje6EZuFzMhS4H0K3Khy3kT6f7CRC2BnXtWwUc0eh7BmxKdg@mail.gmail.com> <[🔎] 20141008034052.GC20723@blough.us>

On Tue, Oct 07, 2014 at 11:40:53PM -0400, Bill Blough wrote:
> In my opinion, people *shouldn't* be running untrusted stylesheets any more
> than they should run untrusted shell scripts or other code.  If we conveniently
> ignore that sometimes people do things that are unwise, then I would say the
> likelyhood is low.

In that case, it's a "normal" severity bug at most.  Most of Turing-complete
languages allow OOMing, and if Xalan stylesheets can already run arbitrary
code, an attacker can do things a lot funnier than just OOM.

-- 
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets.  Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable and Non-Discriminatory prices.

Reply to:

References:
- Bug Severity Help
  - From: Bill Blough <devel@blough.us>
- Re: Bug Severity Help
  - From: Paul Wise <pabs@debian.org>
- Re: Bug Severity Help
  - From: Bill Blough <devel@blough.us>

Prev by Date: Bug#741649: marked as done (RFS: tegrarcm/1.6-1)
Next by Date: Re: Bug Severity Help
Previous by thread: Re: Bug Severity Help
Next by thread: Re: Bug Severity Help
Index(es):
- Date
- Thread