[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 2695-1] chromium-browser security update

On Sun, Jun 2, 2013 at 11:51 AM, Nick Boyce wrote:
> On Sunday 02 Jun 2013 16:13:43 Michael Gilbert wrote:
>> On Sun, Jun 2, 2013 at 9:32 AM, Nick Boyce wrote:
>> > On Wednesday 29 May 2013 15:23:54 Michael Gilbert wrote:
>> >
>> >> or possibly have unspecified other impact via unknown vectors.
>> >
>> > I'm just wondering ... is that Google language for "or possibly allow
>> > remote code execution" ?
> [...]
>> That is the intentionally vague language of CVE (e.g.
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2837).
> [...]
>> In terms of chromium, your best bet is simply to wait for the bugs to
>> become unembargoed (e.g.
>> https://code.google.com/p/chromium/issues/detail?id=235638).
> Thanks.  It's just that I tend to expect that by the time a security fix is
> released, those bugs *are* unembargoed, researchers are poring over code diffs,
> and clear descriptions are usually forthcoming cos there's no longer any point
> in being coy.  For instance, by the time a Firefox release is made Mozilla
> states explicitly in the release information whether or not each bug could
> cause rce.  Same thing for Microsoft.

It's really Google's decision to make, and they have a statement in the faq:

Unfortunately their bugs tend to be embargoed for months (and I've
seen a couple take over a year), which doesn't really live up to the
spirit of their new 7 day policy, but then again that is only for
issues that are known to be exploitable in the wild:

You can always try pestering them at security@chromium.org.  It's
probably more of a matter of neglect than intentional.

Best wishes,

Reply to: