This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Florian Weimer <fweimer at redhat dot com>, Hector Marco-Gisbert <hecmargi at upv dot es>, GNU C Library <libc-alpha at sourceware dot org>, "Joseph S. Myers" <joseph at codesourcery dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>, Andreas Jaeger <aj at suse dot com>
- Cc: Ismael Ripoll Ripoll <iripoll at upv dot es>
- Date: Mon, 19 Oct 2015 19:25:12 -0400
- Subject: Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
- Authentication-results: sourceware.org; auth=none
- References: <1441471191-4683-1-git-send-email-hecmargi at upv dot es> <56162CD0 dot 4070902 at redhat dot com> <5618710F dot 6060406 at redhat dot com> <56210EF1 dot 9030801 at upv dot es> <56211681 dot 20200 at redhat dot com>
On 10/16/2015 11:23 AM, Florian Weimer wrote:
> On 10/16/2015 04:51 PM, Hector Marco-Gisbert wrote:
>> Hello all,
>>
>> It would be nice if our names (Hector Marco and Ismael Ripoll) appear in
>> the Changelog. At least showing that we reported the security issue.
>>
>> Previously reported security issues (i.e BZ #15754) were properly
>> credited in the Glibc Changelog.
>
> In my opinion, this was a mistake, we should credit only reporters which
> follow the established disclosure procedures.
>
> If you found a vulnerability which is sufficiently significant, in your
> opinion, to deserve credits and a CVE identifier, you should make at
> least one attempt to report it privately first. We do not want to keep
> things secret, but the pain of CVE assignment *after* public disclosure
> means that we currently need private vulnerability reports to arrange
> for CVE assignment.
I think this is slightly different from the notion you are used to in
the realm of security where the discovery of the vulnerability is widely
credited to some single source.
Regardless of the security impact of the bug the patch and the idea came
from Hector.
You should do either multi-author if the code is based on Hector's patch:
2013-09-23 Hector Marco <hecmargi@upv.es>
Ismael Ripoll <iripoll@disca.upv.es>
Carlos O'Donell <carlos@redhat.com>
...
or you should thank Hector for the bug report via `Reported by`:
2008-05-21 Ulrich Drepper <drepper@redhat.com>
* locales/iso14651_t1_common: Remove U0C0D entry added for Telugu.
Reported by Pravin Satpute.
This has nothing to do with the security relevant attribution.
Cheers,
Carlos.