[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Testing needed for binutils security update

On Tuesday 23 December 2014 13.30.22 Alexander Cherepanov wrote:
> CVEs were assigned only to a small number of issues so far and I'm not
> sure it's worth it to fix them without fixing others.

That's true, but we have to draw the line somewhere. The bigger the patches to 
backport, the easier to introduce regressions. 

I suggest to patch in this DSA those issues with a CVE id. We can later release 
a new DSA with the next batch of patches.

> Or did you fix
> others too? You can find more issues and fixes in two upstream bugs:
> https://sourceware.org/bugzilla/show_bug.cgi?id=17512
> https://sourceware.org/bugzilla/show_bug.cgi?id=17531
> and the process is not over, new issues are still being found and fixed.

The suggested package for this DSA fixes some of the PoC in these issues. 
> Sorry if it's not easy to track. I'd like to make it easier for Debian.
> Any feedback on the process is welcome.

Indeed, it is not easy to track, but I don't know how to improve that.

It could be great to distinguish those critical crashes for security for those 
less critical. I understand this might be complicated, tho.

> BTW, the situation with elfutils is somewhat similar, the bug report is
> here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1170810

I'm reporting this issue to our elfutils maintainer to keep the track of it. Do 
you know if there is a plan to get CVE id for this/these issue/s?

Cheers, luciano

Reply to: