Re: Testing needed for binutils security update
On 2014-12-26 16:02, Luciano Bello wrote:
On Tuesday 23 December 2014 13.30.22 Alexander Cherepanov wrote:
CVEs were assigned only to a small number of issues so far and I'm not
sure it's worth it to fix them without fixing others.
That's true, but we have to draw the line somewhere. The bigger the patches to
backport, the easier to introduce regressions.
I suggest to patch in this DSA those issues with a CVE id. We can later release
a new DSA with the next batch of patches.
Sure, whatever is more convenient for you.
Or did you fix
others too? You can find more issues and fixes in two upstream bugs:
and the process is not over, new issues are still being found and fixed.
The suggested package for this DSA fixes some of the PoC in these issues.
I guess these are exactly the issues CVEs were assigned for.
Sorry if it's not easy to track. I'd like to make it easier for Debian.
Any feedback on the process is welcome.
Indeed, it is not easy to track, but I don't know how to improve that.
If you (or others) get any ideas please let me know. I hope to fuzz more
programs in the future and I'm afraid it will be something similar.
It could be great to distinguish those critical crashes for security for those
less critical. I understand this might be complicated, tho.
There are some easy to implement ideas, e.g. to filter out non-security
issues like null derefs.
Would it be useful to sort issues with the help of the "exploitable" GDB
BTW, the situation with elfutils is somewhat similar, the bug report is
I'm reporting this issue to our elfutils maintainer to keep the track of it.
you know if there is a plan to get CVE id for this/these issue/s?
Probably we need to at least match fixes with samples before requesting
CVEs. I've written some thoughts here:
. Feel free to comment.