Hi, On Tue, 22 Nov 2016, Ola Lundqvist wrote: > All of them are related to heap overflow that "can potentially cause > arbitrary code exection". > This is a security problem, but the question is how important it is. > > The crash is a DoS problem, but my guess that from that perspective the > worst thing that will happen is that the person opening the file will be a > little upset and blame the person sending the file.
We're speaking of a library, you don't know how the library is used by our users (outside of Debian packages). And even in Debian it's hard to investigate how it's used everywhere. Thus I would think twice before deciding to tag this no-dsa. > I do however think that this is less of an issue as files are not loaded > automatically (my assumption), but rather by a person who get a file from a > hopefully rather trusted source. I would not do this assumption. > Also I have in other discussions got the impression that gcc nowadays have > some kind of heap protection that prevent overwrite of data causing > arbitrary code execution. I may be wrong however. Looking at hdf5 in wheezy, I don't see any hardening feature enabled. I wonder where you saw that gcc has such protections by default in Debian. > All in all I'm leaning towards marking these as no-dsa, but I would like > your advice before doing so. I would not mark them no-dsa. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
