Re: Buffer Overflow in raptor widely unfixed in Linux distros

[Dave Horsfall <dave () horsfall org>]

On Fri, 13 Nov 2020, Hanno Böck wrote:

[...]

> It may be interesting to discuss how this happened. From my side I feel 
> I did what I should do - I reported it to the project and later 
> disclosed it publicly on oss-security. Apparently it seems there is no 
> reliable process to make sure publicly reported vulns eventually get 
> patched in distros if there is no active upstream.

There's always the "Full Disclosure" list (URL forgotten, but 
http://lists.grok.org.uk rings a bell).

Their policy is simple: provide ample warning, then disclose the bug; the 
problem is that Big Corporations brush off a bug report with "We're 
working on it" and actually do nothing, because fixing bugs takes time 
and money.  Funny how quickly a bug is fixed when it's published...

-- Dave