lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: phantasmal at (Phantasmal Phantasmagoria)
Subject: Re: The Cult of a Cardinal Number

Hash: SHA1

>A cc of this email to would have been
>if you felt the need not to give any prior warning to the team so
>problematic versions could be removed from the ftp archives and/or
>    Mark Lowes
>Mark Lowes <>

Certainly, this is a reasonable request. But it has to be said that I
the distinct impression that the 'team' was already aware of the
problems surrounding xlate_ascii_write(), and were merely inclined to

ignore the (perhaps) insignificant percentage of the ProFTPD user base

that had not yet updated to 1.2.9. My justification lies in the resolution

of Bug#2200 which included the clean up of xlate_ascii_write() that saw

these overflows fixed. Castaglia writes in revision 1.69's log message:

"Bug#2200 - Correct segfaults with xlate_ascii_write on IRIX. Some of

the last of the remainding code (whose I understood only partially, such

as the session.xfer.buf++ increment) is now removed, as well as a
potentially dangerous NUL-termination statement."

This leaves me with two possible scenarios. Firstly, castaglia reads

Jesse Sipprell's bug report and without fully understanding the problem

commits the provided patch. Or secondly, castaglia reads Jesse
Sipprell's bug report and realises the possible ramifications of the

highlighted issues, deciding to silently patch them under the guise of

'IRIX segfaults' rather than endure the publicity of yet another
exploitable buffer overflow in his pet project (just days after the ISS


There may be arguments for both accounts, but lets give castaglia
some credit. He knows what he's doing, and I believe that he knew
exactly what the issues meant. Would you mark code as "potentially
dangerous" yet not investigate the matter further to find the complete

implications it may have on your user base? Would anyone?

Phantasmal Phantasmagoria

Note: This signature can be verified at
Version: Hush 2.3


Concerned about your privacy? Follow this link to get
FREE encrypted email:

Free, ultra-private instant messaging with Hush Messenger

Promote security and make money with the Hushmail Affiliate Program:

Powered by blists - more mailing lists