On Tue, 13 Oct 2009 19:23:26 +0200, Reinhard Tartler wrote: > As for this bug, I'm inclined to close this bug with the upload of > [2]. The reason is that this report is way to inprecise. This report > currently reads "the package has been found crashers that might > compromise the system". Sorry, this is just not helpful. We'd really > need at least a list of concrete issues, ideally with reference to the > relevant svn commits (so that commit messages can be reviewed) that can > be processed and backported.
in an ideal world every security issue would come with a complete prescription and regiment to make it all better. however, we do not live in such a place. the best we can do is track the issue at hand, follow work being done elsewhere, and potentially spend our own precious time testing and writing fixes. obviously this is a lot of work, but it is the price we pay since there are nefarious peoples about. i would recommend working with the security team to request cve's on oss-sec for specific issues once they are well-defined, and address each of them in turn; while keeping this bug open to track the meta-issue (potentially downgrading to important as to not impede transitions). note that any of these crashers that show signs of memory corruption are very much cause for concern (see recent pdf jbig2 decoder issues). the others can probably be safely discarded. by "may enable remote compromise," i mean via user-assisted (social engineered) attack vectors (i.e. downloading and viewing a malicious video file). this is a very legitimate concern since most users are very trusting of untrustworthy data. mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
