Debian Bug report logs -
#848704
CVE-2016-4973
Reported by: Moritz Mühlenhoff <jmm@debian.org>
Date: Mon, 19 Dec 2016 17:51:01 UTC
Severity: important
Tags: security
Done: Stephen Kitt <skitt@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Stephen Kitt <skitt@debian.org>:
Bug#848704; Package src:gcc-mingw-w64.
(Mon, 19 Dec 2016 17:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Stephen Kitt <skitt@debian.org>.
(Mon, 19 Dec 2016 17:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gcc-mingw-w64
Severity: important
Tags: security
This has been assigned CVE-2016-4973:
https://bugzilla.redhat.com/show_bug.cgi?id=1324759
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#848704; Package src:gcc-mingw-w64.
(Mon, 19 Dec 2016 18:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Stephen Kitt <skitt@debian.org>:
Extra info received and forwarded to list.
(Mon, 19 Dec 2016 18:03:03 GMT) (full text, mbox, link).
Message #10 received at 848704@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Moritz,
On Mon, 19 Dec 2016 18:48:06 +0100, Moritz Mühlenhoff <jmm@debian.org> wrote:
> This has been assigned CVE-2016-4973:
> https://bugzilla.redhat.com/show_bug.cgi?id=1324759
This doesn't really seem to be going anywhere, is it really worth spending
time on? GCC upstream disagrees that it's an issue. I'd already tried the
patch attached to the bug linked above, and it doesn't work.
(Note that I work for Red Hat.)
Regards,
Stephen
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Stephen Kitt <skitt@debian.org>:
Bug#848704; Package src:gcc-mingw-w64.
(Mon, 26 Dec 2016 10:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Stephen Kitt <skitt@debian.org>.
(Mon, 26 Dec 2016 10:36:02 GMT) (full text, mbox, link).
Message #15 received at 848704@bugs.debian.org (full text, mbox, reply):
On Mon, Dec 19, 2016 at 07:01:41PM +0100, Stephen Kitt wrote:
> Hi Moritz,
>
> On Mon, 19 Dec 2016 18:48:06 +0100, Moritz Mühlenhoff <jmm@debian.org> wrote:
> > This has been assigned CVE-2016-4973:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1324759
>
> This doesn't really seem to be going anywhere, is it really worth spending
> time on? GCC upstream disagrees that it's an issue. I'd already tried the
> patch attached to the bug linked above, and it doesn't work.
I mostly filed it for completeness to have the status tracked in the BTS.
From my point of view it's not a vulnerability and should not have a
CVE ID assigned, it's ultimately just a missing security hardening
feature.
I'm fine with simply closing it, but it's your maintainer's call.
Cheers,
Moritz
Reply sent
to Stephen Kitt <skitt@debian.org>:
You have taken responsibility.
(Sun, 21 Jan 2018 22:21:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 21 Jan 2018 22:21:10 GMT) (full text, mbox, link).
Message #20 received at 848704-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, 26 Dec 2016 11:31:57 +0100, Moritz Mühlenhoff <jmm@inutil.org> wrote:
> On Mon, Dec 19, 2016 at 07:01:41PM +0100, Stephen Kitt wrote:
> > On Mon, 19 Dec 2016 18:48:06 +0100, Moritz Mühlenhoff <jmm@debian.org>
> > wrote:
> > > This has been assigned CVE-2016-4973:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1324759
> >
> > This doesn't really seem to be going anywhere, is it really worth spending
> > time on? GCC upstream disagrees that it's an issue. I'd already tried the
> > patch attached to the bug linked above, and it doesn't work.
>
> I mostly filed it for completeness to have the status tracked in the BTS.
>
> From my point of view it's not a vulnerability and should not have a
> CVE ID assigned, it's ultimately just a missing security hardening
> feature.
>
> I'm fine with simply closing it, but it's your maintainer's call.
Circling back to this, I agree, and nothing ever came of the various bugs
opened elsewhere in relation to this CVE (except in newlib which isn’t
particularly relevant here). It would be nice if SSP was supported properly,
but it’s not a security issue as far as I’m concerned. So I’m closing the
bug.
Regards,
Stephen
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 19 Feb 2018 07:25:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:31:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon