On 05/06/2016 10:40 AM, Jim Meyering wrote: > On Fri, May 6, 2016 at 6:46 AM, none <ytr...@sdf-eu.org> wrote: >> Hello, >> >> As a non contributor, where shall I post sensitive patches that fixes >> important security threats ? > > A good general approach is to look through recent commits, > http://git.savannah.gnu.org/cgit/gzip.git and use the name/email of > those who have been pushing changes.
For what it's worth, the original poster has been communicating with me off-list (even though I haven't made many recent contributions), and claiming that the bug in question is a repeat of CVE-2005-1228 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255 regarding path traversal bugs when compiled for some Windows-based platforms. As that is already a known exploit, I don't see it as a new security issue, but at most just an incomplete fix to an already-public issue, and therefore, see no reason why it can't be discussed in this public bug. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
