Reporting security issues in glib

From: "Will Drewry" <redpig ocert org>
To: foundation-list gnome org
Cc: Diego Petten? <flameeyes gmail com>, team ocert org
Subject: Reporting security issues in glib
Date: Tue, 11 Nov 2008 09:32:26 -0600

Hi GNOME Foundation,

Diego Petten (cc'd) reported a few integer overflows, to us at oCERT,
which may lead to exploitable heap overflows in glib >= ~2.12.
However, there doesn't appear to be a private tracker for
security-sensitive bugs on the gnome/gtk web sites.  We'd like to help
coordinate getting the bugs patched and vendors updated.  Our normal
procedure is to do that with an embargo period (which cannot exceed
two months) where the bugs are not disclosed.  Regardless, we're happy
to accomodate whatever disclosure approach that you and Diego are
comfortable with.   If you could let us know how we should proceed
with reporting this security bug and any future bugs in the Gnome
project, it would be much appreciated!

If you can recommend a better point of contact for getting this
question answered, that would be equally appreciated.

Thanks!
will

--
Will Drewry <redpig ocert org>
oCERT Team :: http://ocert.org

Follow-Ups:
- Re: Reporting security issues in glib
  - From: Gregory Leblanc

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]