| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Sep 2013 15:30:37 -0400 From: Justin Ferguson <jf@...co.net> To: noloader@...il.com Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>, Steve Wray <stevedwray@...il.com> Subject: Re: Internet has vuln. derp, strike the part about steve wray v jeff walton; everything else remains valid. On Fri, Sep 13, 2013 at 3:28 PM, Jeffrey Walton <noloader@...il.com> wrote: > On Fri, Sep 13, 2013 at 2:45 PM, <Valdis.Kletnieks@...edu> wrote: >> On Thu, 12 Sep 2013 18:23:53 -0400, Jeffrey Walton said: >> >>> They ignored my comments on fixed size arrays based on MAX_PATH and >>> the subsequent overflows and silent truncations due to use of sprintf >>> and snprintf.... >> >> Which "they" was it? >> >> If you're referring to this: >> >> http://comments.gmane.org/gmane.comp.security.selinux/16844 > There were many more than just that one. > >> Note that the guy you were replying to was a Japanese software engineer >> employed by NEC. If you want to argue the guy was an NSA plant trying to get a >> backdoor in, feel free. But don't expect to be taken seriously without some >> additional evidence. > The code was accepted into the project >> And it counted as "underhanded", how, exactly? > I did not claim that. > >> In other words - under what conditions can you make a truncation to MAX_PATH >> cause an actual hole? And to count as "underhanded" rather than merely "buggy", >> you'd need at least a whiff of evidence that it was intentional. > What's the difference if its exploitable in practice? > > There's no need to consciously add backdoors when developers are > checking in shit code. They serve the same purpose add add a level of > deniability. > >> Or as Kohei replied to you: >> >> "The selinux_mnt is not a variable given by external one, unless >> application does not update it by itself. >> >> It is not difficult to modify this part to return ENAMETOOLONG >> when snprintf() returns larger or equal with PATH_MAX." >> >> In the Linux community, this would count as '-ENOPATCH', as I'm not >> finding where you ever submitted a patch to fix the issue. > The more eyes the better, right.... > > Crowd sourcing security is a myth. > > Jeff > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists