| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Mar 2004 23:27:54 -0800 From: "Phantasmal Phantasmagoria" <phantasmal@...h.ai> To: Mark Lowes <hamster@...ftpd.org> Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com Subject: Re: The Cult of a Cardinal Number -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >A cc of this email to security@...ftpd.org would have been appreciated >if you felt the need not to give any prior warning to the team so >problematic versions could be removed from the ftp archives and/or >patched. > > Mark Lowes > >-- >Mark Lowes <hamster@...ftpd.org> > Certainly, this is a reasonable request. But it has to be said that I had the distinct impression that the 'team' was already aware of the problems surrounding xlate_ascii_write(), and were merely inclined to ignore the (perhaps) insignificant percentage of the ProFTPD user base that had not yet updated to 1.2.9. My justification lies in the resolution of Bug#2200 which included the clean up of xlate_ascii_write() that saw these overflows fixed. Castaglia writes in revision 1.69's log message: "Bug#2200 - Correct segfaults with xlate_ascii_write on IRIX. Some of the last of the remainding code (whose I understood only partially, such as the session.xfer.buf++ increment) is now removed, as well as a potentially dangerous NUL-termination statement." This leaves me with two possible scenarios. Firstly, castaglia reads Jesse Sipprell's bug report and without fully understanding the problem commits the provided patch. Or secondly, castaglia reads Jesse Sipprell's bug report and realises the possible ramifications of the highlighted issues, deciding to silently patch them under the guise of 'IRIX segfaults' rather than endure the publicity of yet another exploitable buffer overflow in his pet project (just days after the ISS release). There may be arguments for both accounts, but lets give castaglia some credit. He knows what he's doing, and I believe that he knew exactly what the issues meant. Would you mark code as "potentially dangerous" yet not investigate the matter further to find the complete implications it may have on your user base? Would anyone? Love, Phantasmal Phantasmagoria phantasmal@...h.ai -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkBG2xwACgkQImcz/hfgxg3IFACcCvX0oVJHTb15/utdELoaeD00/AsA oKfFXp4Vfp6MzlED2OvjT/ebA+78 =4zFn -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists