On 1/14/19 4:08 PM, Kevin Kofler wrote: > Dave Love wrote: >> I ask because three CVEs have triggered automated bug reports against >> libxsmm <https://apps.fedoraproject.org/packages/libxsmm/bugs>. I don't >> understand why the CVEs were issued, since a problem with unrealistic >> input to a (rather rarely used) development tool doesn't strike me as a >> security problem. > > libxsmm is NOT a "development tool", it is a library that ends up linked > into scientific applications. Those applications may very well encounter > untrusted input, especially here where we are talking about importing > external files! So those security issues absolutely MUST be fixed!
The bugs are raised not against the runtime library but against a command- line development tool. When unrealistic arguments are given there is a memory allocation failure. -- Andrew Haley Java Platform Lead Engineer Red Hat UK Ltd. <https://www.redhat.com> EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671 _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
