Re: Reporting security issues in glib

From: "Will Drewry" <redpig ocert org>
To: "Gregory Leblanc" <headmaster albus dumbledore gmail com>
Cc: Diego Petten? <flameeyes gmail com>, team ocert org, foundation-list gnome org
Subject: Re: Reporting security issues in glib
Date: Thu, 13 Nov 2008 13:14:23 -0600

Bug 560677 has been filed with little detail.

Any help getting it properly sealed up and ready for details will be
appreciated.

thanks again,
will

On Thu, Nov 13, 2008 at 10:46 AM, Will Drewry <redpig ocert org> wrote:
> Hi Gregory -
>
> Thanks for the detailed response!  I'll file a blank report to get the
> ball rolling on this.
>
> Thanks!
> will
>
> On Wed, Nov 12, 2008 at 8:48 AM, Gregory Leblanc
> <headmaster albus dumbledore gmail com> wrote:
>> I'm not sure who reads which lists, so I have left the cc: list
>> intact.  I get mail to foundation-list promptly, so as long as they
>> are on the list, there is no need to mail me directly.
>>
>> On Tue, Nov 11, 2008 at 10:32 AM, Will Drewry <redpig ocert org> wrote:
>>> Hi GNOME Foundation,
>>>
>>> Diego Petten (cc'd) reported a few integer overflows, to us at oCERT,
>>> which may lead to exploitable heap overflows in glib >= ~2.12.
>>> However, there doesn't appear to be a private tracker for
>>> security-sensitive bugs on the gnome/gtk web sites.  We'd like to help
>>> coordinate getting the bugs patched and vendors updated.  Our normal
>>> procedure is to do that with an embargo period (which cannot exceed
>>> two months) where the bugs are not disclosed.  Regardless, we're happy
>>> to accomodate whatever disclosure approach that you and Diego are
>>> comfortable with.   If you could let us know how we should proceed
>>> with reporting this security bug and any future bugs in the Gnome
>>> project, it would be much appreciated!
>>
>> There is not a private tracker that I know of, no.  At one point we
>> had discussed the ability to do this within bugzilla, by marking bugs
>> such as the ones you mention as 'security' or 'private' or somesuch.
>> It looks like this has been implemented by making it possible to have
>> bugs that are only visible to a specific bugzilla group.
>> Unfortunately, it is not currently possible to submit a report that is
>> already marked as private.  Andre has suggested that filing a blank
>> report, and asking for it to be marked private, and then to add the
>> details to the bug.
>>
>>> If you can recommend a better point of contact for getting this
>>> question answered, that would be equally appreciated.
>>
>> gnome-private gnome org is a mailing list that was originally created
>> to help handle these sorts of issues.  I haven't seen a post to it in
>> years, and I -know- that membership is currently unmaintained.  I
>> would not recommend this method, unless bugzilla proves to be
>> unworkable.  I hope that helps, and if I can provide any further
>> assistance, please let me know.
>>     Greg
>>
>

References:
- Reporting security issues in glib
  - From: Will Drewry
- Re: Reporting security issues in glib
  - From: Gregory Leblanc
- Re: Reporting security issues in glib
  - From: Will Drewry

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]