On 27/08/18 18:22, Moritz Muehlenhoff wrote:
On Mon, Aug 27, 2018 at 05:40:01PM +0800, Bjoern wrote:-- Begin Quote: ---------------------- From: Chris Lamb <lamby@debian.org> To: 906012@bugs.debian.org Cc: team@security.debian.org Subject: Re: libxcursor: CVE-2015-9262 Date: Mon, 13 Aug 2018 08:18:27 +0100 [Message part 1 (text/plain, inline)] Hi security team,libxcursor: CVE-2015-9262I have prepared an update for stretch: libxcursor (1:1.1.14-1+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * Fix a denial of service or potentially code execution via a one-byte heap overflow. (CVE-2015-9262) Closes: #906012) -- Chris Lamb <lamby@debian.org> Mon, 13 Aug 2018 09:09:13 +0200 Full debdiff attached. Permission to upload to stretch-security? -- End Quote: ------------------------ Hi Chris & Security Team: Has Chris' patch for "Stretch" gone to /dev/null ? "Stretch"/stable remains exposed whilst old-stable, testing, and unstable have been patched. May I seek your enlightenment on this matter?This turned out to be non-exploitable. A fix will be provided via the stretch 9.6 point release. Cheers, Moritz
Hi.As I am clearly unfamiliar with your processes, I really would appreciate the clarification to better my understanding and perhaps quell my concerns:
* How far away is the 9.6 point release (given that 9.5 was released just over 1.5 months ago)?
* Why could the issue not be dealt with by simply supplying the fix in the nearer term as a security update? Would it not be better to err on the side of caution?
* I still would like to be pointed to the reference(s) and/or criteria used by the Security Team to determine that the issue is non-exploitable and a minor issue. I have searched around to find references regarding CVE-2015-9262 being non-exploitable, but have so far not found anything suggesting such - hence my request for a pointer.
I ask your forgiveness for my persistence on this matter and beg that you don't dismiss me out of hand. What may very well be clear to you - unfortunately is not currently clear to me, or perhaps other potential future contributors to the Debian project I might add.
I notice that a similar protocol of "ignored security issue"/"minor issue" is applied to the recent security bug raised against libx11.
I really would welcome constructive feedback here. Kindest regards, Bjoern.