On Sun, Jun 2, 2013 at 11:51 AM, Nick Boyce wrote: > On Sunday 02 Jun 2013 16:13:43 Michael Gilbert wrote: > >> On Sun, Jun 2, 2013 at 9:32 AM, Nick Boyce wrote: >> >> > On Wednesday 29 May 2013 15:23:54 Michael Gilbert wrote: >> > >> >> or possibly have unspecified other impact via unknown vectors. >> > >> > I'm just wondering ... is that Google language for "or possibly allow >> > remote code execution" ? > [...] >> That is the intentionally vague language of CVE (e.g. >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2837). > [...] >> In terms of chromium, your best bet is simply to wait for the bugs to >> become unembargoed (e.g. >> https://code.google.com/p/chromium/issues/detail?id=235638). > > Thanks. It's just that I tend to expect that by the time a security fix is > released, those bugs *are* unembargoed, researchers are poring over code > diffs, > and clear descriptions are usually forthcoming cos there's no longer any point > in being coy. For instance, by the time a Firefox release is made Mozilla > states explicitly in the release information whether or not each bug could > cause rce. Same thing for Microsoft.
It's really Google's decision to make, and they have a statement in the faq: http://www.chromium.org/Home/chromium-security/security-faq Unfortunately their bugs tend to be embargoed for months (and I've seen a couple take over a year), which doesn't really live up to the spirit of their new 7 day policy, but then again that is only for issues that are known to be exploitable in the wild: http://googleonlinesecurity.blogspot.com/2013/05/disclosure-timeline-for-vulnerabilities.html You can always try pestering them at [email protected]. It's probably more of a matter of neglect than intentional. Best wishes, Mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/CANTw=MN9fOchcfLeGRzkCrgFib-O1jJi+7SAafp=bugz0qi...@mail.gmail.com
