oss-sec mailing list archives
Re: Re: CVE-Request - GNU Awk.
From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Mon, 14 Mar 2016 13:01:38 -0500 (CDT)
On Mon, 14 Mar 2016, Kurt Seifried wrote:
Is a SIGSEGV on it's own enough to justify a CVE? For some apps the answer would be yes (e.g. a single threaded network service that crashes out). For something like gawk I'm not so sure, it's a local utility that shouldn't
I don't see a security issue here. It is just a bug. In order for it to be a security issue, it needs to be caused by external data input into the program (e.g data processed by the awk script). This would also apply to a network service which has a bug and crashes due to something other than specific external input (e.g. resource leak).
Bob -- Bob Friesenhahn bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Current thread:
- CVE-Request - GNU Awk. Steve Kemp (Mar 13)
- Re: CVE-Request - GNU Awk. Tomas Hoger (Mar 14)
- Re: CVE-Request - GNU Awk. Yuriy M. Kaminskiy (Mar 14)
- Re: Re: CVE-Request - GNU Awk. Kurt Seifried (Mar 14)
- Re: Re: CVE-Request - GNU Awk. Bob Friesenhahn (Mar 14)
- Re: CVE-Request - GNU Awk. Yuriy M. Kaminskiy (Mar 14)
- Re: CVE-Request - GNU Awk. Tomas Hoger (Mar 14)
- <Possible follow-ups>
- Re: CVE-Request - GNU Awk. Steve Kemp (Mar 14)