On 01/14/2019 09:38 PM, Kevin Kofler wrote: > Dave Love wrote: >> I ask because three CVEs have triggered automated bug reports against >> libxsmm <https://apps.fedoraproject.org/packages/libxsmm/bugs>. I don't >> understand why the CVEs were issued, since a problem with unrealistic >> input to a (rather rarely used) development tool doesn't strike me as a >> security problem. > > libxsmm is NOT a "development tool", it is a library that ends up linked > into scientific applications. Those applications may very well encounter > untrusted input, especially here where we are talking about importing > external files! So those security issues absolutely MUST be fixed! > Heap-based buffer overflows are indeed serious and if there is a patch, please apply it! Also no serious upstream will ignore these flaws, if they do , its not worth keeping these pkg in fedora imo! -- Huzaifa Sidhpurwala / Red Hat Product Security Team _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
