This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
| Other format: | [Raw text] | |
On Thu, Jul 03, 2014 at 02:30:38PM +0200, Florian Weimer wrote: > It's quite difficult to for me to determine the security impact of bugs in > ncsd. We have quite a few crashers under heavy load (threading issues, > cache size leading to stack overflows etc.). What's the real-world impact > of an nscd crash? Is there a functionality impact if in-process NSS modules > are used? (Let's ignore broken modules such as the the old nss_ldap > module.) nscd crashes would only mean degraded service. Depending on the service it is caching, the degradation may range from insignificant to quite serious. > The other difficulty in this area is NIS. If we have a buffer overflow in > processing data from NIS, is this a security bug? As far as I can tell, NIS > is mostly used for accounts, so a malicious server could just serve an > account with UID=0, so it's not obvious me that a trust boundary is crossed > (which is required for a security vulnerability). I don't know enough about this to make a useful comment. > PS: Our friendly Bugzilla admins disabled notifications for security- > transactions. Thanks! Thanks for this; I have been working around it by labeling all glibc-bugs emails. Siddhesh
Attachment:
pgp2MR_1wasiZ.pgp
Description: PGP signature
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |