What do you think about reporting bugs in OpenClonk which allow remote code execution and also affect Clonk Rage (and earlier versions)? If someone creates a bug report/fix for OC, it could be used to develop an exploit for CR since everyone could look it up.
OpenClonk uses ASLR and DEP, which means that it's harder to exploit buffer overflows. Clonk Rage does not use ASLR and DEP is not available due to the use of Aspack, so developing exploits for Clonk Rage is much easier.
I think it's better to not report buffer overflows which also affect CR, since even if someone else would discover them, he would also have to bypass ALSR and DEP. What do you think about it?
OpenClonk uses ASLR and DEP, which means that it's harder to exploit buffer overflows. Clonk Rage does not use ASLR and DEP is not available due to the use of Aspack, so developing exploits for Clonk Rage is much easier.
I think it's better to not report buffer overflows which also affect CR, since even if someone else would discover them, he would also have to bypass ALSR and DEP. What do you think about it?
![[de]](/mwf/flags/de.png "Germany")
I think you can create private bug reports that only developers can see?The situation for Clonk Rage doesn't look that bleak at the moment, actually. There were some discussions about moving maintenance of Clonk Rage to the OpenClonk infrastructure (as an "old version"), in which case we could release security updates for Clonk Rage as well.
> I think you can create private bug reports that only developers can see?
But as soon as it's fixed everyone can find out about it in the log of the repository.
Powered by mwForum 2.29.7 © 1999-2015 Markus Wichitill
