Hi, > They seem to be real security issues. > > The requester's attitude that his work is done since he's submitted the > report is slightly annoying but I can see his perspective.
Please don't get me wrong here. I'm not requesting any work to be done for me, however I expect from the debian project that security problems aren't ignored. If that means that cups-pdf will not be a part of sarge, that IMO is still far better than having a package of which it is known that it compromises the root account. I currently don't have the time to fix the problems myself, so I limit myself to finding and reporting the problems - and to explaining things if something is unclear about my report. If you referred to my refusal to provide an exploit for the "buffer underflow": I simply don't see any sense in constructing an exploit when it is easier to fix the "bug-at-least" that causes accesses to an undefined memory location that just happens to be a potential security problem as well. > If I had to spend my efforts on fixing security issues, locally > generated ones would be second to network-available exploits. Also, > the complexity of these exploits is such that many programs suffer from > them and it's a matter of figuring out which ones are important to fix. Dunno how you meant it, but these are "network-available" vulnerabilities. Even if cups in its debian default config does only allow local users to submit print jobs, it is a quite common configuration that at least local networks are allowed granted to cups. Cya, Florian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
