lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <16949.1208528432@turing-police.cc.vt.edu>
Date: Fri, 18 Apr 2008 10:20:32 -0400
From: Valdis.Kletnieks@...edu
To: reepex <reepex@...il.com>
Cc: Luigi Auriemma <aluigi@...istici.org>, full-disclosure@...ts.grok.org.uk
Subject: Re: Secunia Research: Lotus Notes Folio Flat File
	Parsing Buffer Overflows

On Thu, 17 Apr 2008 23:17:14 CDT, reepex said:
> I find it funny you are the one to complain about too many advisories when
> you spam the list with sprintf and strcpy bugs you grepped for in random
> applications everyday
> 
> On Tue, Apr 15, 2008 at 9:20 AM, Luigi Auriemma <aluigi@...istici.org> wrote:

> > It's just like if someone finds a bug in zlib and releases 10000
> > advisories, one for each program in the world which uses the library...
> > the bug is not in these 10000 programs but only in zlib.

And in fact, the last time there was a bug in zlib, there *were* a zillion
advisories, because at the time, a zillion packages carried their own private
copy of zlib around because it may or may not have been available on the
target system, or because they statically linked zlib in so just updating the
system copy of the shared library doesn't help.

Nobody (as far as I know) filed an advisory for packages that used the system
zlib, only for those packages that wouldn't be fixed by updating the system
copy.

I'd be interested in knowing what Luigi would recommend be done for such
packages...




Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ