This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
- From: Joseph Myers <joseph at codesourcery dot com>
- To: Hector Marco-Gisbert <hecmargi at upv dot es>
- Cc: Florian Weimer <fweimer at redhat dot com>, Carlos O'Donell <carlos at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>, Siddhesh Poyarekar <siddhesh at redhat dot com>, Andreas Jaeger <aj at suse dot com>, Ismael Ripoll Ripoll <iripoll at upv dot es>
- Date: Mon, 19 Oct 2015 16:48:22 +0000
- Subject: Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
- Authentication-results: sourceware.org; auth=none
- References: <1441471191-4683-1-git-send-email-hecmargi at upv dot es> <56162CD0 dot 4070902 at redhat dot com> <5618710F dot 6060406 at redhat dot com> <56210EF1 dot 9030801 at upv dot es> <56211681 dot 20200 at redhat dot com> <5624FE7E dot 9050402 at upv dot es>
On Mon, 19 Oct 2015, Hector Marco-Gisbert wrote:
> 4.- The CVE can be assigned or not, it depends on many factors, we don't care
> that much. But it is obvious that our contribution have been used to improve
> the security of the Glibc, and then it must be properly credited.
Isn't the normal credit for a bug reported in public (whether or not a
security bug): the bug number is referenced in the ChangeLog and the
commit message, and anyone can follow that reference back to see who
reported the bug? I would hope that databases of CVEs would also point
directly to the bug report in Bugzilla, not just the commit fixing the
bug.
--
Joseph S. Myers
joseph@codesourcery.com