[Toybox] CVEs

Rob Landley rob at landley.net
Sun Feb 19 07:58:39 PST 2023


On 2/18/23 23:06, enh via Toybox wrote:
> on your blog, you said:
> """
> Wait... really? There's a toybox CVE for httpd? (Yeah I remember
> fixing that bug, but was it really worth a Charged Vacuum Emboitment?)
> """
> 
> given that the original bug on github explicitly had the "found by
> $FOO of $BAR" boilerplate that you tend to see from security
> researchers who file these things for a living, i assume they also
> filed the CVE so they can claim priority if anything ever does come of
> this bug. (this is one reason why consumers of CVEs have their own
> people to try to determine the relevance/severity _to them_.)
> 
> if you ever get a "real" CVE -- one that's "obviously" important --
> they'll probably mail you directly rather than zero-day you via the
> github issue tracker :-)

Eh, it's hard to tell what is and isn't relevant when exploits wind up chaining
together 13 different minor things, but the command was less than a year old,
static-only, doesn't work as a standalone daemon and I haven't shipped an actual
inetd yet, and I thought exposing an external port on an android device required
some sort of blood sacrifice from AT LEAST three different types of animal?

It was more an "is... is somebody already _using_ this?" (It was promoted on
April 24, the segfault was reported and fixed May 29. They had something like 35
days to notice...)

I shouldn't be surprised it's RFC logic, publish the slush pile and let somebody
else filter out an interesting subset. (So what does Mitre do then? Other than
provide another layer of indirection for laundering black budgets, which is like
half of Arlington's economy and probably a good chunk of Alexandria...)

Rob


More information about the Toybox mailing list