Re: Re: heap overflow in procmail

[Tavis Ormandy <taviso () cmpxchg8b com>]

Rich Felker <dalias () libc org> wrote:

> On Wed, Sep 03, 2014 at 09:44:12PM -0700, Tavis Ormandy wrote:
> > Rich Felker <dalias () libc org> wrote:
> > > Unless I'm misunderstanding your report, the problem is in the formail
> > > utility which comes with procmail, not procmail itself. This should be
> > > clarified in the title of the vuln, perhaps as "heap overflow in
> > > procmail's formail utility" rather than "heap overflow in procmail".
> >
> > I'm not sure what "title" you mean, are you referring to my email
> > subject? If you are, I think "<problem> in <package>" is pretty
> > reasonable, but perhaps this is subjective (hah!).
>
> Yes, the email subject. "<problem> in <package>" seems reasonable, but
> when <package> is also the name of the main program in <package>, and the
> actual vuln is in a secondary program included with it, I think it's
> confusing.

You're free to form the subject line of your emails any crazy way you like,
you can put the entire email in there if it makes you happy.

If you want a list policy on Subject lines, talk to the moderators - not me.
I personally think information like version, platforms, programs and patches
belong in the body.

Tavis.