endrift 🏳️⚧️tfw you're not even TRYING to audit a library and find a security vulnerability while skimming the source
It's like, babby's first C code here. Complete with a textbook example of a buffer overflow. And there are TWO instances of this same code in the codebase. Ugh.
I will not be revealing the library until I have figured out how to disclose this to the vendor, or at the very least alerted distros. I don't know how long that will take though.
(This library is widely deployed in some capacity, but it's an example of needing custom, malicious hardware to trigger the bug. If you can do that though it's trivial to trigger.)
wuest@endrift does it still count as coordinated disclosure if the maintainer tells you to just publish the vuln on their public issue tracker? 😇
@wuest This is customer support, which is why I was asking for an actual developer. But if I can't actually get in touch with a developer through any publicly accessible channels, well, whose fault is that?
I'm also going to be working with Debian to try and get them to coordinate a disclosure.