Vincent Lefevre (HE12025-10-31): > You would have seen that there is potential denial of service > (process crashes).
At worst, true. It is a mistake to lump denials of service together with real security flaws. For starters, is is possible to deny service by the virtue of being bigger than the target, without any flaw in the target. > Worse, Fabio Degrigis could trigger a SIGSEGV on a memcpy: > > https://www.openwall.com/lists/oss-security/2025/10/18/4 > > which would mean a bad pointer or buffer overflow. → a crash. > > Almost all software runs on Windows or Macos. So what? > Here we're on Debian. You have not answered: so what if most software does something? Is it supposed to imply that it is a good thing? > This is silly. Absolutely not. In terms of security and stability, there is no difference between a package that you have not installed because you have chosen not to install it and a package that you have not installed because it is not available. Regards, -- Nicolas George
