Re: Reporting security issues in glib
- From: "Will Drewry" <redpig ocert org>
- To: "Gregory Leblanc" <headmaster albus dumbledore gmail com>
- Cc: Diego Petten? <flameeyes gmail com>, team ocert org, foundation-list gnome org
- Subject: Re: Reporting security issues in glib
- Date: Thu, 13 Nov 2008 13:14:23 -0600
Bug 560677 has been filed with little detail.
Any help getting it properly sealed up and ready for details will be
On Thu, Nov 13, 2008 at 10:46 AM, Will Drewry <redpig ocert org> wrote:
> Hi Gregory -
> Thanks for the detailed response! I'll file a blank report to get the
> ball rolling on this.
> On Wed, Nov 12, 2008 at 8:48 AM, Gregory Leblanc
> <headmaster albus dumbledore gmail com> wrote:
>> I'm not sure who reads which lists, so I have left the cc: list
>> intact. I get mail to foundation-list promptly, so as long as they
>> are on the list, there is no need to mail me directly.
>> On Tue, Nov 11, 2008 at 10:32 AM, Will Drewry <redpig ocert org> wrote:
>>> Hi GNOME Foundation,
>>> Diego Petten (cc'd) reported a few integer overflows, to us at oCERT,
>>> which may lead to exploitable heap overflows in glib >= ~2.12.
>>> However, there doesn't appear to be a private tracker for
>>> security-sensitive bugs on the gnome/gtk web sites. We'd like to help
>>> coordinate getting the bugs patched and vendors updated. Our normal
>>> procedure is to do that with an embargo period (which cannot exceed
>>> two months) where the bugs are not disclosed. Regardless, we're happy
>>> to accomodate whatever disclosure approach that you and Diego are
>>> comfortable with. If you could let us know how we should proceed
>>> with reporting this security bug and any future bugs in the Gnome
>>> project, it would be much appreciated!
>> There is not a private tracker that I know of, no. At one point we
>> had discussed the ability to do this within bugzilla, by marking bugs
>> such as the ones you mention as 'security' or 'private' or somesuch.
>> It looks like this has been implemented by making it possible to have
>> bugs that are only visible to a specific bugzilla group.
>> Unfortunately, it is not currently possible to submit a report that is
>> already marked as private. Andre has suggested that filing a blank
>> report, and asking for it to be marked private, and then to add the
>> details to the bug.
>>> If you can recommend a better point of contact for getting this
>>> question answered, that would be equally appreciated.
>> gnome-private gnome org is a mailing list that was originally created
>> to help handle these sorts of issues. I haven't seen a post to it in
>> years, and I -know- that membership is currently unmaintained. I
>> would not recommend this method, unless bugzilla proves to be
>> unworkable. I hope that helps, and if I can provide any further
>> assistance, please let me know.
] [Thread Prev