Re: advice needed on how to proceed
> They seem to be real security issues.
> The requester's attitude that his work is done since he's submitted the
> report is slightly annoying but I can see his perspective.
Please don't get me wrong here. I'm not requesting any work to be
done for me, however I expect from the debian project that security
problems aren't ignored. If that means that cups-pdf will not be a part
of sarge, that IMO is still far better than having a package of which
it is known that it compromises the root account. I currently don't
have the time to fix the problems myself, so I limit myself to finding
and reporting the problems - and to explaining things if something
is unclear about my report.
If you referred to my refusal to provide an exploit for the "buffer
underflow": I simply don't see any sense in constructing an exploit
when it is easier to fix the "bug-at-least" that causes accesses to an
undefined memory location that just happens to be a potential security
problem as well.
> If I had to spend my efforts on fixing security issues, locally
> generated ones would be second to network-available exploits. Also,
> the complexity of these exploits is such that many programs suffer from
> them and it's a matter of figuring out which ones are important to fix.
Dunno how you meant it, but these are "network-available" vulnerabilities.
Even if cups in its debian default config does only allow local users to
submit print jobs, it is a quite common configuration that at least
local networks are allowed granted to cups.