[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: advice needed on how to proceed


> They seem to be real security issues.
> The requester's attitude that his work is done since he's submitted the 
> report is slightly annoying but I can see his perspective.

Please don't get me wrong here. I'm not requesting any work to be
done for me, however I expect from the debian project that security
problems aren't ignored. If that means that cups-pdf will not be a part
of sarge, that IMO is still far better than having a package of which
it is known that it compromises the root account. I currently don't
have the time to fix the problems myself, so I limit myself to finding
and reporting the problems - and to explaining things if something
is unclear about my report.

If you referred to my refusal to provide an exploit for the "buffer
underflow": I simply don't see any sense in constructing an exploit
when it is easier to fix the "bug-at-least" that causes accesses to an
undefined memory location that just happens to be a potential security
problem as well.

> If I had to spend my efforts on fixing security issues, locally 
> generated ones would be second to network-available exploits.  Also, 
> the complexity of these exploits is such that many programs suffer from 
> them and it's a matter of figuring out which ones are important to fix.

Dunno how you meant it, but these are "network-available" vulnerabilities.
Even if cups in its debian default config does only allow local users to
submit print jobs, it is a quite common configuration that at least
local networks are allowed granted to cups.

Cya, Florian

Reply to: