This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.




1.- We think that the issue is not critical => Not need to report it privately. It is not exploitable by itself.

2.- We informed at the same time: to the oss-list, Glibc maintainers and MITRE with full description including a PoC and patch which fixes it.

3.- We completely agree to remove the buggy code rather than to fix it.

4.- The CVE can be assigned or not, it depends on many factors, we don't care that much. But it is obvious that our contribution have been used to improve the security of the Glibc, and then it must be properly credited.

We follow in our work serious and responsible disclosures of all the issues that we found. BTW: It is strange that the authorship depends on how the issue is disclosed.

It is no easy to follow exactly the protocols defined by each different project, even more when MITRE, and projects are changing their rules very often. We did our best ! Again, we think this is not a critical issue.


Regards,
Hector and Ismael.


El 16/10/15 a las 17:23, Florian Weimer escribió:
On 10/16/2015 04:51 PM, Hector Marco-Gisbert wrote:
Hello all,

It would be nice if our names (Hector Marco and Ismael Ripoll) appear in
the Changelog. At least showing that we reported the security issue.

Previously reported security issues (i.e BZ #15754) were properly
credited in the Glibc Changelog.

In my opinion, this was a mistake, we should credit only reporters which
follow the established disclosure procedures.

If you found a vulnerability which is sufficiently significant, in your
opinion, to deserve credits and a CVE identifier, you should make at
least one attempt to report it privately first.  We do not want to keep
things secret, but the pain of CVE assignment *after* public disclosure
means that we currently need private vulnerability reports to arrange
for CVE assignment.

Florian


--
Hector Marco-Gisbert @ http://hmarco.org/
Cyber Security Researcher @ http://cybersecurity.upv.es
Universitat Politècnica de València (Spain)


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]