On Thu, 13 Jun 2002 14:58:34 -0600, "Theo de Raadt" <deraadt@xxxxxxxxxxxxxxx> wrote: > > Theo de Raadt <deraadt@xxxxxxxxxxxxxxx> writes: > > > I am shocked this is not being considered a security problem. > > > > calm down, it is. It's already fixed in CVS and we will do a release > > shortly after we've verified that it doesn't break things. > > Well, the attitude of uninformed denial still sucks... I suppose that you are refering to my previous message. Note that I did not deny the fact that it is a bug that must be fixed. I just wanted to mention that the fix (which is already in CVS anyway) could break things for some people and we should do some testing before releasing the patch in a hurry. In other words, we should not consider this patch in isolation because we may have to modify some other parts of the GIMP if we want to avoid breaking it for some operating systems or for some specific configurations. Maybe there is nothing to change, in which case the patch could be released immediately. But maybe there is, so we should at least do some testing (and I am doing that right now for several versions of Linux and Solaris). Also, I was specifically replying to Rockwalrus' suggestion that we should have a "big notice" about this security fix and maybe publish it on Bugtraq. I thought that it was a bit excessive, that's why I wrote: "The bug should be fixed, but the window of opportunity for malicious uses of this shared memory segment seems to be rather small so it does not deserve any big announcement." I do not consider this to be an "attitude of uninformed denial." If this is how it was perceived, then I am sorry for that. Maybe I should have used a better wording. I am a quite security-conscious person and I certainly do not want to leave any security hole open. -Raphaël
