lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Sep 2013 15:30:37 -0400
From: Justin Ferguson <>
Cc: full-disclosure <>,
 Steve Wray <>
Subject: Re: Internet has vuln.

derp, strike the part about steve wray v jeff walton; everything else
remains valid.

On Fri, Sep 13, 2013 at 3:28 PM, Jeffrey Walton <> wrote:
> On Fri, Sep 13, 2013 at 2:45 PM,  <> wrote:
>> On Thu, 12 Sep 2013 18:23:53 -0400, Jeffrey Walton said:
>>> They ignored my comments on fixed size arrays based on MAX_PATH and
>>> the subsequent overflows and silent truncations due to use of sprintf
>>> and snprintf....
>> Which "they" was it?
>> If you're referring to this:
> There were many more than just that one.
>> Note that the guy you were replying to was a Japanese software engineer
>> employed by NEC.  If you want to argue the guy was an NSA plant trying to get a
>> backdoor in, feel free. But don't expect to be taken seriously without some
>> additional evidence.
> The code was accepted into the project
>> And it counted as "underhanded", how, exactly?
> I did not claim that.
>> In other words - under what conditions can you make a truncation to MAX_PATH
>> cause an actual hole? And to count as "underhanded" rather than merely "buggy",
>> you'd need at least a whiff of evidence that it was intentional.
> What's the difference if its exploitable in practice?
> There's no need to consciously add backdoors when developers are
> checking in shit code. They serve the same purpose add add a level of
> deniability.
>> Or as Kohei replied to you:
>> "The selinux_mnt is not a variable given by external one, unless
>> application does not update it by itself.
>> It is not difficult to modify this part to return ENAMETOOLONG
>> when snprintf() returns larger or equal with PATH_MAX."
>> In the Linux community, this would count as '-ENOPATCH', as I'm not
>> finding where you ever submitted a patch to fix the issue.
> The more eyes the better, right....
> Crowd sourcing security is a myth.
> Jeff
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists