[ntp:hackers] Release fixing all issues

Harlan Stenn stenn at ntp.org
Thu Jan 21 03:22:54 UTC 2016


Kurt,

I hope I haven't over-trimmed this response.

Kurt Roeckx writes:
> On the other hand you seem to have a different fix for CVE-2015-5300
> than what we applied 3 months ago ...  and it's not clear that their
> [sic] is something wrong with the old patch.

Honestly, this is stunning to me.

Seriously?  *Any* barely-competent C programmer who knows what -g is
supposed to do should be able to look at the patch listed at:

 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5300

and practically INSTANTLY see why that fix is inadequate.

I suspect the key issue is knowing what -g is supposed to do.

-g should allow the first *correction* to exceed the panic gate.

H


More information about the hackers mailing list