Hi Thank you. It is now in dla-needed.txt
// Ola On 24 November 2016 at 14:59, Raphael Hertzog <[email protected]> wrote: > Hi, > > On Tue, 22 Nov 2016, Ola Lundqvist wrote: > > All of them are related to heap overflow that "can potentially cause > > arbitrary code exection". > > This is a security problem, but the question is how important it is. > > > > The crash is a DoS problem, but my guess that from that perspective the > > worst thing that will happen is that the person opening the file will be > a > > little upset and blame the person sending the file. > > We're speaking of a library, you don't know how the library is used > by our users (outside of Debian packages). And even in Debian it's hard to > investigate how it's used everywhere. > > Thus I would think twice before deciding to tag this no-dsa. > > > I do however think that this is less of an issue as files are not loaded > > automatically (my assumption), but rather by a person who get a file > from a > > hopefully rather trusted source. > > I would not do this assumption. > > > Also I have in other discussions got the impression that gcc nowadays > have > > some kind of heap protection that prevent overwrite of data causing > > arbitrary code execution. I may be wrong however. > > Looking at hdf5 in wheezy, I don't see any hardening feature enabled. I > wonder where you saw that gcc has such protections by default in Debian. > > > All in all I'm leaning towards marking these as no-dsa, but I would like > > your advice before doing so. > > I would not mark them no-dsa. > > Cheers, > -- > Raphaël Hertzog ◈ Debian Developer > > Support Debian LTS: http://www.freexian.com/services/debian-lts.html > Learn to master Debian: http://debian-handbook.info/get/ > -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
