On Thu, 13 Jun 2002 14:58:34 -0600, "Theo de Raadt" <[EMAIL PROTECTED]> wrote:
> > Theo de Raadt <[EMAIL PROTECTED]> writes:
> > > I am shocked this is not being considered a security problem.
> > 
> > calm down, it is. It's already fixed in CVS and we will do a release
> > shortly after we've verified that it doesn't break things.
> Well, the attitude of uninformed denial still sucks...

I suppose that you are refering to my previous message.  Note that I
did not deny the fact that it is a bug that must be fixed.  I just
wanted to mention that the fix (which is already in CVS anyway) could
break things for some people and we should do some testing before
releasing the patch in a hurry.  In other words, we should not
consider this patch in isolation because we may have to modify some
other parts of the GIMP if we want to avoid breaking it for some
operating systems or for some specific configurations.  Maybe there is
nothing to change, in which case the patch could be released
immediately.  But maybe there is, so we should at least do some
testing (and I am doing that right now for several versions of Linux
and Solaris).

Also, I was specifically replying to Rockwalrus' suggestion that we
should have a "big notice" about this security fix and maybe publish
it on Bugtraq.  I thought that it was a bit excessive, that's why I
wrote: "The bug should be fixed, but the window of opportunity for
malicious uses of this shared memory segment seems to be rather small
so it does not deserve any big announcement."  I do not consider this
to be an "attitude of uninformed denial."  If this is how it was
perceived, then I am sorry for that.  Maybe I should have used a
better wording.  I am a quite security-conscious person and I
certainly do not want to leave any security hole open.

Gimp-developer mailing list

Reply via email to