Reporting security issues in glib



Hi GNOME Foundation,

Diego Petten (cc'd) reported a few integer overflows, to us at oCERT,
which may lead to exploitable heap overflows in glib >= ~2.12.
However, there doesn't appear to be a private tracker for
security-sensitive bugs on the gnome/gtk web sites.  We'd like to help
coordinate getting the bugs patched and vendors updated.  Our normal
procedure is to do that with an embargo period (which cannot exceed
two months) where the bugs are not disclosed.  Regardless, we're happy
to accomodate whatever disclosure approach that you and Diego are
comfortable with.   If you could let us know how we should proceed
with reporting this security bug and any future bugs in the Gnome
project, it would be much appreciated!

If you can recommend a better point of contact for getting this
question answered, that would be equally appreciated.

Thanks!
will

--
Will Drewry <redpig ocert org>
oCERT Team :: http://ocert.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]