[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#23467: I found a security bug in gzip…
From: |
Eric Blake |
Subject: |
bug#23467: I found a security bug in gzip… |
Date: |
Wed, 11 May 2016 06:53:59 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 |
On 05/06/2016 10:40 AM, Jim Meyering wrote:
> On Fri, May 6, 2016 at 6:46 AM, none <address@hidden> wrote:
>> Hello,
>>
>> As a non contributor, where shall I post sensitive patches that fixes
>> important security threats ?
>
> A good general approach is to look through recent commits,
> http://git.savannah.gnu.org/cgit/gzip.git and use the name/email of
> those who have been pushing changes.
For what it's worth, the original poster has been communicating with me
off-list (even though I haven't made many recent contributions), and
claiming that the bug in question is a repeat of CVE-2005-1228
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255 regarding path
traversal bugs when compiled for some Windows-based platforms. As that
is already a known exploit, I don't see it as a new security issue, but
at most just an incomplete fix to an already-public issue, and
therefore, see no reason why it can't be discussed in this public bug.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature