[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200403040727.i247RtTb051453@mailserver2.hushmail.com>
Date: Wed, 3 Mar 2004 23:27:54 -0800
From: "Phantasmal Phantasmagoria" <phantasmal@...h.ai>
To: Mark Lowes <hamster@...ftpd.org>
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Re: The Cult of a Cardinal Number
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>A cc of this email to security@...ftpd.org would have been
appreciated
>if you felt the need not to give any prior warning to the team so
>problematic versions could be removed from the ftp archives and/or
>patched.
>
> Mark Lowes
>
>--
>Mark Lowes <hamster@...ftpd.org>
>
Certainly, this is a reasonable request. But it has to be said that I
had
the distinct impression that the 'team' was already aware of the
problems surrounding xlate_ascii_write(), and were merely inclined to
ignore the (perhaps) insignificant percentage of the ProFTPD user base
that had not yet updated to 1.2.9. My justification lies in the resolution
of Bug#2200 which included the clean up of xlate_ascii_write() that saw
these overflows fixed. Castaglia writes in revision 1.69's log message:
"Bug#2200 - Correct segfaults with xlate_ascii_write on IRIX. Some of
the last of the remainding code (whose I understood only partially, such
as the session.xfer.buf++ increment) is now removed, as well as a
potentially dangerous NUL-termination statement."
This leaves me with two possible scenarios. Firstly, castaglia reads
Jesse Sipprell's bug report and without fully understanding the problem
commits the provided patch. Or secondly, castaglia reads Jesse
Sipprell's bug report and realises the possible ramifications of the
highlighted issues, deciding to silently patch them under the guise of
'IRIX segfaults' rather than endure the publicity of yet another
exploitable buffer overflow in his pet project (just days after the ISS
release).
There may be arguments for both accounts, but lets give castaglia
some credit. He knows what he's doing, and I believe that he knew
exactly what the issues meant. Would you mark code as "potentially
dangerous" yet not investigate the matter further to find the complete
implications it may have on your user base? Would anyone?
Love,
Phantasmal Phantasmagoria
phantasmal@...h.ai
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
wkYEARECAAYFAkBG2xwACgkQImcz/hfgxg3IFACcCvX0oVJHTb15/utdELoaeD00/AsA
oKfFXp4Vfp6MzlED2OvjT/ebA+78
=4zFn
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists