lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: dotslash at snosoft.com (KF)
Subject: SRT2003-05-08-1137 - ListProc mailing list
 ULISTPROC_UMASK overflow

Shawn McMahon wrote:

>On Thu, May 08, 2003 at 12:15:41PM -0500, KF said:
>  
>
>>not on hand to thoroughly test the fix. SecNetOps did not have the 
>>facilities to compile the new version of catmail in efforts to test the
>>fix on our own. The problem appeared to be caused by a series of strcat() 
>>    
>>
>
>Huh?  They can't come up with a Linux box with enough HD space to store
>the source code?  What, does the company use PCs in their school library
>to do all their Important Security Consultant Work?
>
Well I am glad you can come up with a negative spin on a public notice 
to help those that are using this buggy software.... this hole was found 
last summer in a *binary* release and it was not disclosed at that time 
for whatever reason. Since then ListProc (CREN) has went under and I 
have lost the binaries and source that I was testing against. As far as 
the facilities to compile of course we have a linux box and other unix 
boxen (in fact we provide public access to them on a regular basis). 
ListProc needed a certain set of application tools to compile and I was 
really not interested in jumping through hoops to get the compile done. 
CREN itself could not compile the program and provide a binary to us and 
I am not really familiar with their development enviornment and I opted 
not to research the issue any further.... so sue me.

>Never mind, I just looked at their website.  Maybe they truly DON'T have any Linux or other UNIX boxes.
>
If you are refering to our page I really do not see how you can 
determine what boxen we have on our LAN simply by browsing our web page.

Maybe Episode IV http://oa.eiv.com:8080/ can help the community out and 
compile the source at source forge and let us all know how things go. 
Maybe you can even bring the shawncam online again so we can watch you 
work! Looking at your web page you are certainly one to talk about using 
the school library for "Important Security Consultant Work" since half 
your staff looks like family I suspect EIV is ran from your house rather 
than the library.
-KF

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ