lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAG-zyRwN=pzpz8U_VS9AQGem6o4mXu5B-3h53en0KfbeEOFHTA@mail.gmail.com>
Date: Fri, 13 Sep 2013 15:30:37 -0400
From: Justin Ferguson <jf@...co.net>
To: noloader@...il.com
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
 Steve Wray <stevedwray@...il.com>
Subject: Re: Internet has vuln.

derp, strike the part about steve wray v jeff walton; everything else
remains valid.

On Fri, Sep 13, 2013 at 3:28 PM, Jeffrey Walton <noloader@...il.com> wrote:
> On Fri, Sep 13, 2013 at 2:45 PM,  <Valdis.Kletnieks@...edu> wrote:
>> On Thu, 12 Sep 2013 18:23:53 -0400, Jeffrey Walton said:
>>
>>> They ignored my comments on fixed size arrays based on MAX_PATH and
>>> the subsequent overflows and silent truncations due to use of sprintf
>>> and snprintf....
>>
>> Which "they" was it?
>>
>> If you're referring to this:
>>
>> http://comments.gmane.org/gmane.comp.security.selinux/16844
> There were many more than just that one.
>
>> Note that the guy you were replying to was a Japanese software engineer
>> employed by NEC.  If you want to argue the guy was an NSA plant trying to get a
>> backdoor in, feel free. But don't expect to be taken seriously without some
>> additional evidence.
> The code was accepted into the project
>> And it counted as "underhanded", how, exactly?
> I did not claim that.
>
>> In other words - under what conditions can you make a truncation to MAX_PATH
>> cause an actual hole? And to count as "underhanded" rather than merely "buggy",
>> you'd need at least a whiff of evidence that it was intentional.
> What's the difference if its exploitable in practice?
>
> There's no need to consciously add backdoors when developers are
> checking in shit code. They serve the same purpose add add a level of
> deniability.
>
>> Or as Kohei replied to you:
>>
>> "The selinux_mnt is not a variable given by external one, unless
>> application does not update it by itself.
>>
>> It is not difficult to modify this part to return ENAMETOOLONG
>> when snprintf() returns larger or equal with PATH_MAX."
>>
>> In the Linux community, this would count as '-ENOPATCH', as I'm not
>> finding where you ever submitted a patch to fix the issue.
> The more eyes the better, right....
>
> Crowd sourcing security is a myth.
>
> Jeff
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ