oss-sec mailing list archives
Re: memory safety bugs in bc
From: Hanno Böck <hanno () hboeck de>
Date: Thu, 29 Nov 2018 23:12:55 +0100
On Thu, 29 Nov 2018 11:40:54 -0500 Daniel Kahn Gillmor <dkg () fifthhorseman net> wrote:
I haven't evaluated how many of those systems might pass untrusted input to bc (maybe none!), but this is hardly "standalone".
I think that's not what Marcus meant. These packages on debian likely call bc via the commandline. The idea here is that "mild" memory safety violations (invalid reads, nullptr) don't get security treatment if they're in a standalone tool, yet they do if they're in a library, which may have larger implications in more complex apps. I can somewhat understand that. (And decided for myself not to care too much about CVEs anyway. Relevant for me is primarily that I shared the info, so others can decide how they act on it.) -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Current thread:
- memory safety bugs in bc Hanno Böck (Nov 28)
- Re: memory safety bugs in bc Marcus Meissner (Nov 29)
- Re: memory safety bugs in bc Daniel Kahn Gillmor (Nov 29)
- Re: memory safety bugs in bc Hanno Böck (Nov 29)
- Re: memory safety bugs in bc Daniel Kahn Gillmor (Nov 29)
- Re: memory safety bugs in bc Daniel Kahn Gillmor (Nov 29)
- Re: memory safety bugs in bc Marcus Meissner (Nov 29)