On Tue, Sep 28, 2010 at 11:17:27PM -0400, buginator wrote:
> On 9/28/10, Per Inge Mathisen  wrote:
>> On Tue, Sep 28, 2010 at 5:25 AM, buginator  wrote:
>>> On 9/27/10, buginator  wrote:
>>>> It was said that it would be a good idea to get a CVE.
>>>> http://cve.mitre.org/cve/obtain_id.html
>>>> Anyone care to chime in on this one way or the other ?
>>> Since I was just a tad bit too terse... the reason for this is:
>>> So we can have some co-ordination with the security team of all the
>>> distros who are distributing wz.
>>> See their FAQ entry: http://cve.mitre.org/about/faqs.html#a4
>> I am confused. You have a security issue you are going to need to go
>> public with?
> It would be for the buffer overflow issues that we fixed, though we
> didn't do this in the past, it is just a 'nicer'(?) way to handle
> these type of things.

Sounds like overkill and a bureaucratic variant of "featuritis" to me.
Please note that not every buffer overflow is a potential security risk,
most buffer overflows only cause DoS (in the form of a segfault).

Only when a *remote* user can inject code *and* cause it to be executed
would I consider a buffer overflow to be a security risk.  I.e. local
privilege escalation can be disregarded as Warzone's purpose is *not* to
sandbox local users.  So if you've found a potential remote privilege
escalation (i.e. somehow includes remote data in the execution stream)
bug feel free to apply for a CVE then.

And if I read that FAQ correctly there's no need to apply for some
organisation or project-specific entry either.  Thus you're only
required to apply for *anything* with them when you have a security
issue to begin with.

"When all you have is a hammer, everything starts to look like a nail."
  -- Abraham Maslow

Attachment: signature.asc
Description: Digital signature

Warzone-dev mailing list

Reply via email to