At Thu, 04 Nov 2004 17:10:25 +0100, Helge Kreutzmann wrote: > Package: libc6 > Version: 2.2.5-11.5 > Severity: grave > Tags: woody, security > Justification: user security hole > > I notice the Ubuntu Security USN-4-1 and did not find CAN-2004-0968 in > the "Non-Vulnerable" list. I looked at catchsegv as an example and > code like > > segv_output=`basename "$prog"`.segv.$$ > > does not look secure to me. > > http://lwn.net/Alerts/108824/ > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-00968 > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136318
Thanks for your check. I/We'll look at it and work with the security team for woody. Note that I guess we may need another glibc 2.3.2.ds1-19 for sarge to fix this issue (with the recent David's backtrace issue). Recently glibcbug is removed from the upstream cvs because it's not worked well (and moreover it's harmful), so I plan to remove it, but if you have objection, please let us know. Regards, -- gotom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
