Lack of update information
Matthew Woehlke
mw_triad at users.sourceforge.net
Mon Jan 26 23:22:01 UTC 2009
Kevin Kofler wrote:
> diff -Nur foo-old foo-new
> and you'll see fairly quickly what they fixed. (And it's also trivial for a
> cracker to do that, so it's utterly pointless to try withholding
> information that way.)
I disagree.
I recently fixed something that could be considered "denial of service"
in a program I maintain. The patch basically replaces some instances of
"foo=object; object.incrementRefCount();' with 'foo=object.clone();'.
I'd challenge you to figure out from just that how to exploit the
problem, whereas the bug report might contain a detailed description of
what you had to do, how the timing has to work out, and exactly what
effect would be seen.
There's a difference between having to engineer an exploit from the
patch (especially if even the commit is vaguely worded), and having full
documentation on the problem and its cause.
--
Matthew
Please do not quote my e-mail address unobfuscated in message bodies.
--
find / -user your -name base -print0 | xargs -0 chown us:cats -- Unknown
More information about the fedora-devel-list
mailing list