Re: EMERGENCY: new remote root exploit in UW imapd

From: D. J. Bernstein (djbat_private)
Date: Tue Jul 28 1998 - 03:18:36 PDT

Next message: J.R. Valverde: "Re: Fwd: Any user can panic OpenBSD machine"

Previous message: Felix Schroeter: "Re: Fwd: Any user can panic OpenBSD machine"
Maybe in reply to: Anonymous: "EMERGENCY: new remote root exploit in UW imapd"
Next in thread: der Mouse: "Re: EMERGENCY: new remote root exploit in UW imapd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Beware of the Dijkstra phenomenon.

The phenomenon is that immodular code seems more ``productive'' than
heavily modularized code. You can read or write many more lines per hour
of malloc(), strcpy(), free() than of unfamiliar high-level routines.

Of course, the modular code ends up being _much_ smaller. It also lets
you independently check the correctness of each module; this scales to
arbitrarily large systems if the modules remain small.

Adam Shostack writes:
> we attempted to look at the qmail source.  (.89 or .91 or so).

Things have changed since then. For example, I documented most of the
Sub-Standard C Library(tm) in 1997.

> We were rarely sure when the code segments we were looking at
> were considered security critical.

Anything touching the user's mail is security-critical---maybe not from
root's point of view, but certainly from the user's point of view.

---Dan
Binary qmail distributions are allowed! http://pobox.com/~djb/qmail/dist.html

Next message: J.R. Valverde: "Re: Fwd: Any user can panic OpenBSD machine"
Previous message: Felix Schroeter: "Re: Fwd: Any user can panic OpenBSD machine"
Maybe in reply to: Anonymous: "EMERGENCY: new remote root exploit in UW imapd"
Next in thread: der Mouse: "Re: EMERGENCY: new remote root exploit in UW imapd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:47 PDT