On 2/18/23 23:06, enh via Toybox wrote: > on your blog, you said: > """ > Wait... really? There's a toybox CVE for httpd? (Yeah I remember > fixing that bug, but was it really worth a Charged Vacuum Emboitment?) > """ > > given that the original bug on github explicitly had the "found by > $FOO of $BAR" boilerplate that you tend to see from security > researchers who file these things for a living, i assume they also > filed the CVE so they can claim priority if anything ever does come of > this bug. (this is one reason why consumers of CVEs have their own > people to try to determine the relevance/severity _to them_.) > > if you ever get a "real" CVE -- one that's "obviously" important -- > they'll probably mail you directly rather than zero-day you via the > github issue tracker :-)
Eh, it's hard to tell what is and isn't relevant when exploits wind up chaining together 13 different minor things, but the command was less than a year old, static-only, doesn't work as a standalone daemon and I haven't shipped an actual inetd yet, and I thought exposing an external port on an android device required some sort of blood sacrifice from AT LEAST three different types of animal? It was more an "is... is somebody already _using_ this?" (It was promoted on April 24, the segfault was reported and fixed May 29. They had something like 35 days to notice...) I shouldn't be surprised it's RFC logic, publish the slush pile and let somebody else filter out an interesting subset. (So what does Mitre do then? Other than provide another layer of indirection for laundering black budgets, which is like half of Arlington's economy and probably a good chunk of Alexandria...) Rob _______________________________________________ Toybox mailing list Toybox@lists.landley.net http://lists.landley.net/listinfo.cgi/toybox-landley.net