I don't see a lot of reasons to not have details and discussion in public, most of InetUtils is ancient code and there is surely lots of problematic things in it (I think we've just seen the beginnings of a vulnerability report flood here...) -- more public code review and discussion seems fine to me. Coordinating analysis and resulting code fixes with *BSD and other actively maintained implementations would also be nice. Alas, I don't have a lot of cycles so will try to focus on release management so we have a working method to get fixes published. The v2.8 release is over-due, and I will prioritze getting that out first.
/Simon Oculytic <[email protected]> writes: > Sorry, I did not know the 'bugs' email linked directly to the public list. > I will email you directly with more details. > > On Sun, Apr 12, 2026 at 4:41 PM Collin Funk <[email protected]> wrote: > >> Oculytic <[email protected]> writes: >> >> > I've attached a full writeup with root cause analysis, affected code >> > locations. >> > >> > I'd like to propose a 30-day disclosure window from today's date. I'm >> happy >> > to work with you on a fix - the writeup includes suggested remediation >> > approaches (replacing signal/longjmp with a flag-based or self-pipe >> > approach). >> > >> > I also plan to request a CVE ID from MITRE and coordinate with the >> distros >> > list once a patch is ready. Please let me know if you'd prefer a >> different >> > timeline or process. >> > >> > Please confirm receipt when you can. >> >> This is a public list [1]. >> >> Given that the attached writeup looks like it was copy pasted from an >> LLM, I would appreciate if you could send reproduction steps before I >> rush to look at it. >> >> Collin >> >> [1] https://lists.gnu.org/archive/html/bug-inetutils/2026-04/msg00000.html >>
signature.asc
Description: PGP signature
