This is the mail archive of the
mailing list for the glibc project.
RE: DNS Resolver library testing
- From: "Holliday, Robert" <rhollida at ciena dot com>
- To: "libc-help at sourceware dot org" <libc-help at sourceware dot org>
- Date: Fri, 21 Aug 2015 18:38:16 -0400
- Subject: RE: DNS Resolver library testing
- Authentication-results: sourceware.org; auth=none
- References: <9B8F4BBDF8AAA54693083BC8753AE3A70AB642B9A8 at ONWVEXCHMB05 dot ciena dot com> <55D7A668 dot 8020208 at gmail dot com>
I need help from the GLIBC community.
It takes a lot of time to analyze them and figure out what the issues are with the code.
I have already submitted one to the libc-alpha mailing list, and nobody has even reviewed the issue.
From: Ángel González [mailto:firstname.lastname@example.org]
Sent: Friday, August 21, 2015 3:30 PM
To: Holliday, Robert
Subject: Re: DNS Resolver library testing
On 21/08/15 23:43, Holliday, Robert wrote:
> Is there a contact with the GLIBC library, that would be willing to
> work with Codenomicon, to scan the DNS Resolver library, and report
> the vulnerabilities to the GLIBC community, which would help get them fixed and make the DNS library used more secure?
> Please contact email@example.com. They have worked with many other
> open source projects to make them less vulnerable. I am not able to
> get the DNS library scanned by them, they will only work with members of the GLIBC team.
If you already have the tool, and have already found
"many zero-day vulnerabilities" on it, why is the contact to codenomicon needed?
I mean, I welcome that it gets fuzzed and codenomicon offers that, but IMHO that should be *in addition* of reporting (and fixing) the vulnerabilities you already found, which should be step 1.