On Tue, 16 Aug 2005, Archaic wrote:
> On Tue, Aug 16, 2005 at 09:47:06PM +0100, Ken Moffat wrote:
> >
> > This vulnerability should be low risk for most of us, but I think it's
> > the sort of thing that ought to be applied.
>
> Agreed.
>
Hmm, I think I should have checked the patches list before starting
this thread, it's already been committed. Thanks, Jim.
> > The question is, what do other people, particularly LFS editors,
> > think? Should there be a severity threshold, and less critical
> > patches need to be discussed on this list, or should I just go ahead
> > and commit ?
>
> Well, most things should be mentioned even if there is no discussion
> needed. It at least gives the OP the chance to layout the problem and
> the relevant URL's (ensure {b,}lfs-dev and lfs-support are sent the
> email for the sake of those who don't follow all the lists). If the
> patch is tested and known to not break something obvious, then by all
> means commit it (testing branches and other specialty branches may have
> more specific guidelines).
>
If people don't want to follow -security, I don't think spamming the
support lists will help.
> If it breaks something subtly, that would hopefully be found as more
> people build trunk and BLFS, which also implies that the closer to a
> release we get, the more rigorously the editor should test *before*
> committing. At the very minimum of testing is to create a test case and
> trigger the vuln in the non-patched software then try with the patched
> software instead of taking some distro's word that said patch works
> (they've been wrong before).
>
> All IMO.
>
And in terms of post-release errata, I suppose I have to swear by
everything I hold holy that it works and fixes the vulnerability. Or
maybe just swear on the grave of my AmigaOne. Well, I don't have the
right mindset to fully concoct an exploit, but in this case the patch
prevented a contrived filename from running 'exit' so I'm more or less
OK this time. But more generally, that is a very high standard.
> > Do people think the patches need to be reviewed for apparent
> > correctness, or is the opinion of one editor that a patch looks
> > reasonable sufficient ?
>
> Well, we do have the opportunity to review the commit message. :)
If we're subscribed to -patches.
Anyway, thanks for the comments. I'll add it to the errata for stable
in the morning, then announce it on -security.
Ken
--
das eine Mal als Tragödie, das andere Mal als Farce
--
http://linuxfromscratch.org/mailman/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
