X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:cc:from:message-id:date
	:mime-version:in-reply-to:content-type; q=dns; s=default; b=RumL
	2UEr8AFMRQxABqZGrCZM8Ss1MaRyOPzYV/3WqiiDnfXGvjUOhyikFzJ2TeJFG5/n
	ufw5HGtv7PVcwSqqvM8coruScUXylB61cgdLWGtkEFLG8o983ir8tkqNBJXDd14W
	ClY3q9Ld4o1cJqCSMIQUqgxNE+mMoPFZIzMn2/A=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:cc:from:message-id:date
	:mime-version:in-reply-to:content-type; s=default; bh=/p5nOX2bcV
	XYfcxqF5+EzcdbCKw=; b=PodCj8s7LQnGR7OKcj6j6vRzw3uApxBQlHNOaLnlDb
	ch5o7jaWeabP+Wcw7y5wM0+7NQZDSDk7/n/70jSx4Zbpma6DqbP+GLas4dTMz3Cj
	2xUkSz2IPqKBzTgOZ/lsoHNDvUTlrLPHJh0EQGT4IlZpc0fCCVMmykCgEmYwWVcL
	0=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-0.5 required=5.0 tests=AWL,BAYES_50,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=BEFORE, Kanthak, kanthak, U*security
X-HELO: mx1.redhat.com
Subject: Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
To: Stefan Kanthak <stefan DOT kanthak AT nexgo DOT de>
References: <EF7B6182B7C54BBAA5083C40EF14529D AT W340> <568EA2DC DOT 3020900 AT redhat DOT com> <34A2D15A19D247B4A46A173C41C73094 AT W340>
Cc: cygwin AT cygwin DOT com
From: Eric Blake <eblake AT redhat DOT com>
Openpgp: url=http://people.redhat.com/eblake/eblake.gpg
X-Enigmail-Draft-Status: N1110
Message-ID: <56903672.7020307@redhat.com>
Date: Fri, 8 Jan 2016 15:21:38 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <34A2D15A19D247B4A46A173C41C73094@W340>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Ukxqt3fx9N66qVoOs42OWivnBuT2M5ptD"
X-IsSubscribed: yes

--Ukxqt3fx9N66qVoOs42OWivnBuT2M5ptD
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

[I got this mail via cc; I don't see the original in the mail archives,
which means it probably got eaten by the spam trap for too many raw
email addresses or other heuristics.  I don't maintain cygwin.com, so
I'm only commenting as a side observer here...]

On 01/07/2016 02:59 PM, Stefan Kanthak wrote:

>> If this was your original off-list post, you just violated your own
>> policy since you included cygwin AT cygwin.com which is a public list
>> on the ping, and thereby made the issue public, without waiting 45 days.
>=20
> Simply wrong!
> Cygwin doesn't name a security mailbox on
> <https://cygwin.com/problems.html>, <https://cygwin.com/lists.html>
> states
>=20
> | cygwin: In general, you should send questions and bug reports here.
>=20
> (which I did), and all of <security AT cygwin DOT com>, <security AT cygwin DOT org>
> and <security AT sourceware DOT org> bounce: see
> <http://www.ietf.org/rfc/rfc2142.txt> regarding this well-known role
> account (unfortunately RfC-ignorant.org closed).

Okay, maybe we should consider creating a closed-subscription
non-public-archives security AT cygwin DOT com mailing list (however,
cygwin.org and sourceware.org are not the right domains).  Or at least
update the web page to mention secalert AT redhat DOT com as a reasonable
alternative closed list to contact with potential Cygwin security flaws.
 I'll leave that up to others with actual admin rights on the cygwin.com
box, though.


> Next time: THINK BEFORE YOU POST!

Shouting at people is not the friendliest way to resolve security or
other issues.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--Ukxqt3fx9N66qVoOs42OWivnBuT2M5ptD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJWkDZyAAoJEKeha0olJ0Nq8rwH/1bZYXk7HZ6jrc6DKfhtFlw6
iDoEELJQYwhr6I7zIRgPs3BrL0DrQm8uONQ36939JbJf251xnHPFp1MhEBD55fFK
onbt9YNvQv/TDz9CWFu60h/18B2KObdXGCdYmQyvYJLzjZz8JUWXXmFeWyJaTk8r
bb2VcsIPZOAl3632k/ESlAbso80We1PIga0rYf1i+HgbQmDaqRyfa6q0IVHTbDyi
yGehYYI4JhkROtD1KtPZcH6UaUeMmhwktm4gj8EzauIDz/Gpn8t8QHOeptvi/1Le
bJ2dUvpqWYZxihCiMmpj+gr7obCFrn2BsysJSmw8jnsuwW231LecJM2/432d1E8=
=02Ds
-----END PGP SIGNATURE-----

--Ukxqt3fx9N66qVoOs42OWivnBuT2M5ptD--