Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

[Hanno Böck <hanno () hboeck de>]

On Thu, 29 Jan 2015 02:05:38 -0700
Kurt Seifried <kseifried () redhat com> wrote:

> So you'll be doing the work to confirm which ones are/are not, patch
> them, regression test the patches and so on? Awesome!
>
> There's a reason we don't treat every potential security flaw as a
> security vulnerability. We have finite resources and pretty much an
> infinite number of flaws to deal with. Until you solve that problem we
> have to make due with "best effort", letting perfection be the enemy
> of good will kill us.

I find that sarcastic comment inappropriate. After all it's your
company that's selling a product that makes the promise to backport
important security fixes for years.

I think we have a real problem here and I'd like to have a talk how to
solve it. Debian, Redhat, Ubuntu and many others are making an implicit
promise with their long time supported stable distributions that they'll
take care of important bugs. I have big doubts how capable they are in
delivering that promise. There are just too many bugs to take care of.

I'll write up something longer on that topic later today.

And yes: I'd like people to cry alarm every time they see a buffer
overflow in glibc or any other core lib. Even if we aren't capable of
deeply checking every one of them: Having the information available
somewhere else than depply hidden in a google bugtracker would be an
improvement. If it is too much for this list create another place for
it.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature