Hi Dominic, On 04/02/2013 21:28, Dominic Hargreaves wrote: > I had no replies about this, so I think it's time to bite the bullet > and decide whether we should target this fix at > > - stable-security > - stable > - neither of the above. > > I think I'm leaning towards stable on the basis that that's a slightly > safer place to land a possibly-problematic fix, as well as the fact I > don't know of any real world exploits for this, but I an open to (and > welcome) all comments. > > I seem to remember reading that a point release of squeeze is > due quite soon, but I couldn't find an announcment of such.
from http://openwall.com/lists/oss-security/2012/12/11/4: "I think the vulnerability is effective only when attacker has first argument of maketext() under control. However that means the attacker can run any code even without this `vulnerability'. It's like saying glibc's gettext() is vulnerable. But that's not true. Sure gettext("%s", user_input) is not safe, but this is flaw in the caller, not in the gettext. The same applies to Locale::Maketext::maketext(). Petr Pisar 2012-12-06 11:18:46 EST" This is CVE-2012-6329 and I think this doesn't warrant a DSA, please fix it in stable. Cheers, Giuseppe.
signature.asc
Description: OpenPGP digital signature