On Sun, Feb 12, 2012 at 09:27:24PM +0100, Moritz Mühlenhoff wrote: > If the missing format string is variable and controlled externally (e.g. > if read from a file or from network communication), please file it > with RC severity and the security tag. (If it's a popular Perl module, > please contact t...@security.debian.org, so that we can coordinate with > other distros.) > > Otherwise it's rather "normal" severity.
I didn't feel qualified to make judgements about the exploitablity, but I thought it would be worth an initial filing in any case (I made this clear in the text of my reports). You can see them at <http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=hardening;users=debian...@lists.debian.org> Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
