lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 29 Oct 2004 15:25:26 -0400
From: David Brodbeck <DavidB@...l.interclean.com>
To: 'Tim Newsham' <newsham@...a.net>,
	Michael Wojcik <Michael.Wojcik@...rofocus.com>
Cc: Valdis.Kletnieks@...edu, bugtraq@...urityfocus.com
Subject: RE: Update: Web browsers - a mini-farce (MSIE gives in)


> -----Original Message-----
> From: Tim Newsham [mailto:newsham@...a.net]

> But lets assume that a good programmer is writing software and
> it comes to his attention that there is a buffer overflow, or
> that user input is not being filtered, or that user input is being
> passed to a printf type function.  What happens next?  Well, it
> depends on how many bugs there are, how much other work needs
> to be done, and very importantly, what the perceived impact of
> that bug is.  You cannot imagine how many times a bug is pointed
> out and the author of the software says "ok, that bug can only
> happen if the user does something stupid, and it is not exploitable.
> Lets defer that one."

This suggests that it's reasonable for a program to segfault because the
user made a mistake, instead of having some non-fatal form of error
handling.  I don't think that should be acceptable at all, though I agree
it's very common.  If I had a dollar for every time I've lost work because a
segfault or GPF happened before I saved my document...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ