On Sat, 30 Jul 2005, Micah Anderson wrote:
> On Tue, 05 Apr 2005, Joey Hess wrote:
>
> >> Jaakko, I was reminded that this bug has been open for 7 weeks with
> >> no reaction. It's a minor and somewhat hypothetical security hole,
> >> but we have a fix for it; do you plan to close the bug soon?
>
> > Uh, it got buried under other things. Yeah, the fix is trivial, but
> > I won't have time to even look at it this week, so if you feel like,
> > please NMU. If not, I'll ask Twin or someone to do it.
>
> This was back in April, you said you didn't have time that week,
> almost three months have passed. Have you asked Twin to do it instead,
> and this person neglected to follow-up on it as well?
Got buried under other things as this thing is not exploitable.
> >> Btw, did someone inform upstream? There is no new upstream version,
> >> and I at least could not find anything grepping the subject lines
> >> of syslinux list archives..
>
> >No, I didn't inform upstream, I figured you knew how to best pass it on
> >to them.
>
> Have you informed upstream?
Yes, and his answer:
| It's not a security hole, since it would only be exploitable if you can
| substitute libc, in which case you have root on the machine anyway.
|
| Might as well clean it up to keep the whiners quiet, though.
|
| -hpa
--j
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
