[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20181129231255.25fe8a92@computer>
Date: Thu, 29 Nov 2018 23:12:55 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: memory safety bugs in bc
On Thu, 29 Nov 2018 11:40:54 -0500
Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote:
> I haven't evaluated how many of those systems might pass untrusted
> input to bc (maybe none!), but this is hardly "standalone".
I think that's not what Marcus meant.
These packages on debian likely call bc via the commandline.
The idea here is that "mild" memory safety violations (invalid reads,
nullptr) don't get security treatment if they're in a standalone tool,
yet they do if they're in a library, which may have larger implications
in more complex apps.
I can somewhat understand that. (And decided for myself not to care
too much about CVEs anyway. Relevant for me is primarily that I shared
the info, so others can decide how they act on it.)
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
