On 27/08/18 18:22, Moritz Muehlenhoff wrote:
On Mon, Aug 27, 2018 at 05:40:01PM +0800, Bjoern wrote:
-- Begin Quote: ----------------------
From: Chris Lamb <la...@debian.org>
To: 906...@bugs.debian.org
Cc: t...@security.debian.org
Subject: Re: libxcursor: CVE-2015-9262
Date: Mon, 13 Aug 2018 08:18:27 +0100
[Message part 1 (text/plain, inline)]
Hi security team,
libxcursor: CVE-2015-9262
I have prepared an update for stretch:
libxcursor (1:1.1.14-1+deb9u2) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix a denial of service or potentially code execution via
a one-byte heap overflow. (CVE-2015-9262) Closes: #906012)
-- Chris Lamb <la...@debian.org> Mon, 13 Aug 2018 09:09:13 +0200
Full debdiff attached. Permission to upload to stretch-security?
-- End Quote: ------------------------
Hi Chris & Security Team:
Has Chris' patch for "Stretch" gone to /dev/null ?
"Stretch"/stable remains exposed whilst old-stable, testing, and unstable
have been patched.
May I seek your enlightenment on this matter?
This turned out to be non-exploitable. A fix will be provided via the
stretch 9.6 point release.
Cheers,
Moritz
Hi.
As I am clearly unfamiliar with your processes, I really would
appreciate the clarification to better my understanding and perhaps
quell my concerns:
* How far away is the 9.6 point release (given that 9.5 was released
just over 1.5 months ago)?
* Why could the issue not be dealt with by simply supplying the fix in
the nearer term as a security update? Would it not be better to err on
the side of caution?
* I still would like to be pointed to the reference(s) and/or criteria
used by the Security Team to determine that the issue is non-exploitable
and a minor issue. I have searched around to find references regarding
CVE-2015-9262 being non-exploitable, but have so far not found anything
suggesting such - hence my request for a pointer.
I ask your forgiveness for my persistence on this matter and beg that
you don't dismiss me out of hand. What may very well be clear to you -
unfortunately is not currently clear to me, or perhaps other potential
future contributors to the Debian project I might add.
I notice that a similar protocol of "ignored security issue"/"minor
issue" is applied to the recent security bug raised against libx11.
I really would welcome constructive feedback here.
Kindest regards,
Bjoern.