cygwin1.dll up to 1.5.22 overflow

Daniel Fdez. Bleda
Thu Nov 8 12:50:00 GMT 2007

Dear Corinna,

I understand from this that you are asking for that details about
explotation, pof, etc. of a vulnerability of a software should be
directly disclosed in the list? Sounds some kind of dangerous.

I didn't usually include in "bugs" a bof that permits execute code.

I'll do this as you requested omitting sensible information.


Corinna Vinschen escribió:
> On Nov  8 12:23, Daniel Fdez. Bleda wrote:
>> Dear Cygwin developers,
>> One members of our team discovered a serious vulnerability, not
>> published and docummented in Cygwin up to 1.5.22. It seam to be
>> corrected in recent versions but we don't know if collateral to other
>> correction or directly patched.
>> As the cygwin site is absolutely unclear about where send bugs, but is
>> absolutely clear what not to send I wonder where I should send this info.
> The cygwin AT cygwin DOT com mailing list is the right place, as described
> on
>>           ____________________________________
>> Este mensaje y los documentos que, en su caso lleve anexos, pueden
>> [etc...]
> Plese refrain from sending this sort of disclaimers to mailing lists,
> as described on
> Thanks,
> Corinna

More information about the Cygwin-developers mailing list