On Tue, Sep 28, 2010 at 11:17:27PM -0400, buginator wrote: > On 9/28/10, Per Inge Mathisen wrote: >> On Tue, Sep 28, 2010 at 5:25 AM, buginator wrote: >>> On 9/27/10, buginator wrote: >>>> It was said that it would be a good idea to get a CVE. >>>> http://cve.mitre.org/cve/obtain_id.html >>>> >>>> Anyone care to chime in on this one way or the other ? >>> >>> Since I was just a tad bit too terse... the reason for this is: >>> >>> So we can have some co-ordination with the security team of all the >>> distros who are distributing wz. >>> >>> See their FAQ entry: http://cve.mitre.org/about/faqs.html#a4 >> >> I am confused. You have a security issue you are going to need to go >> public with? > > It would be for the buffer overflow issues that we fixed, though we > didn't do this in the past, it is just a 'nicer'(?) way to handle > these type of things.
Sounds like overkill and a bureaucratic variant of "featuritis" to me. Please note that not every buffer overflow is a potential security risk, most buffer overflows only cause DoS (in the form of a segfault). Only when a *remote* user can inject code *and* cause it to be executed would I consider a buffer overflow to be a security risk. I.e. local privilege escalation can be disregarded as Warzone's purpose is *not* to sandbox local users. So if you've found a potential remote privilege escalation (i.e. somehow includes remote data in the execution stream) bug feel free to apply for a CVE then. And if I read that FAQ correctly there's no need to apply for some organisation or project-specific entry either. Thus you're only required to apply for *anything* with them when you have a security issue to begin with. -- Giel -- "When all you have is a hammer, everything starts to look like a nail." -- Abraham Maslow
Description: Digital signature
_______________________________________________ Warzone-dev mailing list Warzonefirstname.lastname@example.org https://mail.gna.org/listinfo/warzone-dev