lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 6 Nov 2011 05:11:09 -0500
From: Jeffrey Walton <noloader@...il.com>
To: Manfred Schmitt <full-disclosure@...shproc.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: How not to deal with a vulnerability in your
	code

On Sun, Nov 6, 2011 at 1:10 AM, Manfred Schmitt
<full-disclosure@...shproc.org> wrote:
> Jeremy Visser schrieb:
>
>> On 05/11/2011, at 18:24, Leon Kaiser wrote:
>> > sudo apt-get remove calibre
>> [...]
>> Ubuntu has already had the bug fixed, because they use a safe udev-based hook. The vulnerability only applies to those who have installed Calibre from source. So "apt-get remove calibre" is a pretty naïve comment to make, but you couldn't resist the bashing, could you?
>
> The thread on launchpad clearly shows (at least for me) that the developer
> has absolutely no clue about security, so imo the way to go is, even if
> there are no local root exploits anymore (in upstream), to uninstall it.
> I'm not that adventurous to wait until it deletes all my user files
> because he (Maybe, I haven't looked at the source) also reinvented rm ;)
RMS has an interesting position on free software and security. Given a
choice, Stallman would rather see free software used even if its not
secure (so I've been told):

    RMS has been quite open about it on several
    occasions when push came to shove: it was more
    important that GNU systems use free software than
    that they be secure [1]

calibre is not an isolated case (Kovid did look like an ass when he
blew off Rosenberg). Mailman has been storing plain text/reversible
pass words for years [2]. Debian and friends supply a ressed(8) which
fetches random data over HTTP and uses it to reseed the kernel's PRNG
[3]. It goes on and on.

After GNU's Savannah was hacked, I tried to get security related items
to the GNU coding/style guide [4]. I did not even receive a reply from
the folks in Massachusetts.

Be wary of open source and free software - you get what you pay for.
And its not even really free: take a look at GPL V3. Apparently,
Stallman encumbered it to set it free (???).

Jeff

[1] http://mail.python.org/pipermail/mailman-users/2011-November/072462.html
[2] http://mail.python.org/pipermail/mailman-users/2011-November/072445.html
[3] https://bugs.launchpad.net/ubuntu/+source/reseed/+bug/804594
[4] https://www.gnu.org/prep/standards/standards.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ