Re: Reporting security issues in glib

From: "Will Drewry" <redpig ocert org>
To: "Gregory Leblanc" <headmaster albus dumbledore gmail com>
Cc: Diego Petten? <flameeyes gmail com>, team ocert org, foundation-list gnome org
Subject: Re: Reporting security issues in glib
Date: Thu, 13 Nov 2008 10:46:11 -0800

Hi Gregory -

Thanks for the detailed response!  I'll file a blank report to get the
ball rolling on this.

Thanks!
will

On Wed, Nov 12, 2008 at 8:48 AM, Gregory Leblanc
<headmaster albus dumbledore gmail com> wrote:
> I'm not sure who reads which lists, so I have left the cc: list
> intact.  I get mail to foundation-list promptly, so as long as they
> are on the list, there is no need to mail me directly.
>
> On Tue, Nov 11, 2008 at 10:32 AM, Will Drewry <redpig ocert org> wrote:
>> Hi GNOME Foundation,
>>
>> Diego Petten (cc'd) reported a few integer overflows, to us at oCERT,
>> which may lead to exploitable heap overflows in glib >= ~2.12.
>> However, there doesn't appear to be a private tracker for
>> security-sensitive bugs on the gnome/gtk web sites.  We'd like to help
>> coordinate getting the bugs patched and vendors updated.  Our normal
>> procedure is to do that with an embargo period (which cannot exceed
>> two months) where the bugs are not disclosed.  Regardless, we're happy
>> to accomodate whatever disclosure approach that you and Diego are
>> comfortable with.   If you could let us know how we should proceed
>> with reporting this security bug and any future bugs in the Gnome
>> project, it would be much appreciated!
>
> There is not a private tracker that I know of, no.  At one point we
> had discussed the ability to do this within bugzilla, by marking bugs
> such as the ones you mention as 'security' or 'private' or somesuch.
> It looks like this has been implemented by making it possible to have
> bugs that are only visible to a specific bugzilla group.
> Unfortunately, it is not currently possible to submit a report that is
> already marked as private.  Andre has suggested that filing a blank
> report, and asking for it to be marked private, and then to add the
> details to the bug.
>
>> If you can recommend a better point of contact for getting this
>> question answered, that would be equally appreciated.
>
> gnome-private gnome org is a mailing list that was originally created
> to help handle these sorts of issues.  I haven't seen a post to it in
> years, and I -know- that membership is currently unmaintained.  I
> would not recommend this method, unless bugzilla proves to be
> unworkable.  I hope that helps, and if I can provide any further
> assistance, please let me know.
>     Greg
>

Follow-Ups:
- Re: Reporting security issues in glib
  - From: Will Drewry

References:
- Reporting security issues in glib
  - From: Will Drewry
- Re: Reporting security issues in glib
  - From: Gregory Leblanc

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]