This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
- From: Florian Weimer <fweimer at redhat dot com>
- To: Hector Marco-Gisbert <hecmargi at upv dot es>, "Carlos O'Donell" <carlos at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>, "Joseph S. Myers" <joseph at codesourcery dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>, Andreas Jaeger <aj at suse dot com>
- Cc: Ismael Ripoll Ripoll <iripoll at upv dot es>
- Date: Fri, 16 Oct 2015 17:23:45 +0200
- Subject: Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
- Authentication-results: sourceware.org; auth=none
- References: <1441471191-4683-1-git-send-email-hecmargi at upv dot es> <56162CD0 dot 4070902 at redhat dot com> <5618710F dot 6060406 at redhat dot com> <56210EF1 dot 9030801 at upv dot es>
On 10/16/2015 04:51 PM, Hector Marco-Gisbert wrote:
> Hello all,
>
> It would be nice if our names (Hector Marco and Ismael Ripoll) appear in
> the Changelog. At least showing that we reported the security issue.
>
> Previously reported security issues (i.e BZ #15754) were properly
> credited in the Glibc Changelog.
In my opinion, this was a mistake, we should credit only reporters which
follow the established disclosure procedures.
If you found a vulnerability which is sufficiently significant, in your
opinion, to deserve credits and a CVE identifier, you should make at
least one attempt to report it privately first. We do not want to keep
things secret, but the pain of CVE assignment *after* public disclosure
means that we currently need private vulnerability reports to arrange
for CVE assignment.
Florian