Re: Reporting security issues in glib

From: "Gregory Leblanc" <headmaster albus dumbledore gmail com>
To: "Will Drewry" <redpig ocert org>
Cc: Diego Petten? <flameeyes gmail com>, team ocert org, foundation-list gnome org
Subject: Re: Reporting security issues in glib
Date: Wed, 12 Nov 2008 11:48:43 -0500

I'm not sure who reads which lists, so I have left the cc: list
intact.  I get mail to foundation-list promptly, so as long as they
are on the list, there is no need to mail me directly.

On Tue, Nov 11, 2008 at 10:32 AM, Will Drewry <redpig ocert org> wrote:
> Hi GNOME Foundation,
>
> Diego Petten (cc'd) reported a few integer overflows, to us at oCERT,
> which may lead to exploitable heap overflows in glib >= ~2.12.
> However, there doesn't appear to be a private tracker for
> security-sensitive bugs on the gnome/gtk web sites.  We'd like to help
> coordinate getting the bugs patched and vendors updated.  Our normal
> procedure is to do that with an embargo period (which cannot exceed
> two months) where the bugs are not disclosed.  Regardless, we're happy
> to accomodate whatever disclosure approach that you and Diego are
> comfortable with.   If you could let us know how we should proceed
> with reporting this security bug and any future bugs in the Gnome
> project, it would be much appreciated!

There is not a private tracker that I know of, no.  At one point we
had discussed the ability to do this within bugzilla, by marking bugs
such as the ones you mention as 'security' or 'private' or somesuch.
It looks like this has been implemented by making it possible to have
bugs that are only visible to a specific bugzilla group.
Unfortunately, it is not currently possible to submit a report that is
already marked as private.  Andre has suggested that filing a blank
report, and asking for it to be marked private, and then to add the
details to the bug.

> If you can recommend a better point of contact for getting this
> question answered, that would be equally appreciated.

gnome-private gnome org is a mailing list that was originally created
to help handle these sorts of issues.  I haven't seen a post to it in
years, and I -know- that membership is currently unmaintained.  I
would not recommend this method, unless bugzilla proves to be
unworkable.  I hope that helps, and if I can provide any further
assistance, please let me know.
     Greg

Follow-Ups:
- Re: Reporting security issues in glib
  - From: Will Drewry

References:
- Reporting security issues in glib
  - From: Will Drewry

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]