This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Requesting CVEs for glibc security issues
- From: Will Newton <will dot newton at linaro dot org>
- To: "Joseph S. Myers" <joseph at codesourcery dot com>
- Cc: Jeff Law <law at redhat dot com>, OndÅej BÃlka <neleai at seznam dot cz>, Florian Weimer <fweimer at redhat dot com>, Konstantin Serebryany <konstantin dot s dot serebryany at gmail dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Mon, 19 May 2014 08:46:16 +0100
- Subject: Requesting CVEs for glibc security issues
- Authentication-results: sourceware.org; auth=none
On 17 May 2014 00:55, Joseph S. Myers <joseph@codesourcery.com> wrote:
> On Fri, 16 May 2014, Jeff Law wrote:
>
>> > E.g. bug 16618 (something I'd have
>> > thought would be a natural case for a CVE - wscanf may not be widely used,
>> > but it's still a buffer overrun if wscanf is used -
>> More likely nobody's contacted the appropriate folks. Sounds like it'd be
>> worth of a CVE to me.
>
> I'm sort of presuming that some distribution security people are watching
> for newly filed glibc bugs that seem CVE-worthy, and requesting CVEs.
This doesn't seem to be the case. I am not sure of the
political/economic motivations behind creating CVEs but it seems the
onus is on the bug reporter/fixer to request a CVE on the oss-security
list. In my opinion it would be useful if the glibc project had some
kind of security person or team which could make sure any security
bugs are identified and CVEs requested.
It would also be useful to do the backports to stable branches of the
security fix, but at the moment it seems every vendor has their own
stable branch.
--
Will Newton
Toolchain Working Group, Linaro