This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Requesting CVEs for glibc security issues

On 17 May 2014 00:55, Joseph S. Myers <> wrote:
> On Fri, 16 May 2014, Jeff Law wrote:
>> > E.g. bug 16618 (something I'd have
>> > thought would be a natural case for a CVE - wscanf may not be widely used,
>> > but it's still a buffer overrun if wscanf is used -
>> More likely nobody's contacted the appropriate folks.  Sounds like it'd be
>> worth of a CVE to me.
> I'm sort of presuming that some distribution security people are watching
> for newly filed glibc bugs that seem CVE-worthy, and requesting CVEs.

This doesn't seem to be the case. I am not sure of the
political/economic motivations behind creating CVEs but it seems the
onus is on the bug reporter/fixer to request a CVE on the oss-security
list. In my opinion it would be useful if the glibc project had some
kind of security person or team which could make sure any security
bugs are identified and CVEs requested.

It would also be useful to do the backports to stable branches of the
security fix, but at the moment it seems every vendor has their own
stable branch.

Will Newton
Toolchain Working Group, Linaro

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]