This is the mail archive of the
cygwin-developers
mailing list for the Cygwin project.
Re: cygwin1.dll up to 1.5.22 overflow
Dave, Corinna,
I you consider the advisory could be already published due the
collateral correction of the flaw in recent versions?
Regards,
Dave Korn escribió:
> On 08 November 2007 13:51, Daniel Fdez. Bleda wrote:
>
>> Dear Corinna,
>>
>> I understand from this that you are asking for that details about
>> explotation, pof, etc. of a vulnerability of a software should be
>> directly disclosed in the list? Sounds some kind of dangerous.
>>
>> I didn't usually include in "bugs" a bof that permits execute code.
>>
>> I'll do this as you requested omitting sensible information.
>
> I understand your need for caution. I think maybe we should consider what
> is the best course of action to take and perhaps write up a semi-formal
> announcement for the list instead?
>
> Also, maybe we should retire the earlier vulnerable cygwin dll versions that
> are still on sourceware.org?
>
> Cygwin is inherently insecure, the shared memory mechanism allows
> unauthenticated communication across trust boundaries between processes;
> without a major redesign it's always going to be vulnerable to privilige
> escalation in particular. It's not advisable to run a cygwin-based service
> facing the public internet IMO.
>
> Which was the vulnerable function? I'd like to see how serious the
> opportunities for attack are before we rush into anything.
>
>
> cheers,
> DaveK