[PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory

Sat Jan 9 09:11:00 GMT 2016

[I got this mail via cc; I don't see the original in the mail archives,
which means it probably got eaten by the spam trap for too many raw
email addresses or other heuristics. I don't maintain cygwin.com, so
I'm only commenting as a side observer here...]
On 01/07/2016 02:59 PM, Stefan Kanthak wrote:
>> If this was your original off-list post, you just violated your own
>> policy since you included cygwin AT cygwin.com which is a public list
>> on the ping, and thereby made the issue public, without waiting 45 days.
>> Simply wrong!
> Cygwin doesn't name a security mailbox on
> <https://cygwin.com/problems.html>, <https://cygwin.com/lists.html>
> states
>> | cygwin: In general, you should send questions and bug reports here.
>> (which I did), and all of <security@cygwin.com>, <security@cygwin.org>
> and <security@sourceware.org> bounce: see
> <http://www.ietf.org/rfc/rfc2142.txt> regarding this well-known role
> account (unfortunately RfC-ignorant.org closed).

Okay, maybe we should consider creating a closed-subscription
non-public-archives security@cygwin.com mailing list (however,
cygwin.org and sourceware.org are not the right domains). Or at least
update the web page to mention secalert@redhat.com as a reasonable
alternative closed list to contact with potential Cygwin security flaws.
 I'll leave that up to others with actual admin rights on the cygwin.com
box, though.
> Next time: THINK BEFORE YOU POST!

Shouting at people is not the friendliest way to resolve security or
other issues.
-- 
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://cygwin.com/pipermail/cygwin/attachments/20160109/065e9e3b/attachment.sig>