oss-sec mailing list archives
CVE for library bug that requires application participation
From: Alex Gaynor <alex.gaynor () gmail com>
Date: Wed, 11 Jun 2014 14:06:55 -0700
Hi all, David Reid, Glyph Lefkowitz, and myself discovered a bug in glibc ( https://sourceware.org/bugzilla/show_bug.cgi?id=17048) which can, in conjunction with many common memory management techniques from an application (read: we hit this issue repeatedly developing our Python application), lead to a use after free, or other vulnerabilities. Is it within policy to issue a CVE for glibc in a case like this? Thanks to the Red Hat security team for assisting in triaging this and working with the Glibc maintainers. Thanks, Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084
Current thread:
- CVE for library bug that requires application participation Alex Gaynor (Jun 11)
- Re: glibc - CVE for library bug that requires application participation cve-assign (Jun 12)