Hello Genodians,
I've recently stumbled upon a use-after-free bug in one of the Genode core base classes. I think I have a pretty good understanding of the problem and would like to fill a bug report with my findings. Given the potential security implications of UAF type bugs I'm not sure what it the best course of action here. Should I report this using github issue tracker which AFAIU will result in the report being public? Or is there some other way to report bugs like this?
/ptw
Hello Piotr,
On 05.11.20 14:00, Piotr Tworek wrote:
I've recently stumbled upon a use-after-free bug in one of the Genode core base classes. I think I have a pretty good understanding of the problem and would like to fill a bug report with my findings. Given the potential security implications of UAF type bugs I'm not sure what it the best course of action here. Should I report this using github issue tracker which AFAIU will result in the report being public? Or is there some other way to report bugs like this?
I greatly appreciate your sense of responsibility.
In cases like this, when the reach of the problem is uncertain, please let us first discuss the issue privately by writing to 'bugs@genode.org'.
All developers at Genode Labs can follow and participate in the discussion, and contribute to the assessment of risk and the further coordination.
Best regards Norman
Hi Norman,
I've sent an email with a proposed patch to bugs@genode.org.
/ptw
Hello Piotr,
On 05.11.20 14:00, Piotr Tworek wrote:
I've recently stumbled upon a use-after-free bug in one of the Genode core base classes. I think I have a pretty good understanding of the problem and would like to fill a bug report with my findings. Given the potential security implications of UAF type bugs I'm not sure what it the best course of action here. Should I report this using github issue tracker which AFAIU will result in the report being public? Or is there some other way to report bugs like this?
I greatly appreciate your sense of responsibility.
In cases like this, when the reach of the problem is uncertain, please let us first discuss the issue privately by writing to 'bugs@genode.org'.
All developers at Genode Labs can follow and participate in the discussion, and contribute to the assessment of risk and the further coordination.
Best regards Norman
-
Norman Feske -
Piotr Tworek