Re: [HERT] Advisory #002 Buffer overflow in lsof

From: brian j pardy (posterkidat_private)
Date: Fri Feb 19 1999 - 12:39:47 PST

Next message: Doug Granzow: "Re: OT: Copyright on Security advisories"

Previous message: Collin Chaffin: "Re: [NTSEC] Inherent weaknesses in NT System Policies"
Maybe in reply to: Anthony C . Zboralski: "[HERT] Advisory #002 Buffer overflow in lsof"
Next in thread: Greg Woods: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 18 Feb 1999, Theo de Raadt wrote:

> > People who publish bugs/exploits that are not being actively exploited
> > *before* giving the vendor a chance to fix the flaws are clearly
> > grandstanding.  They're part of the problem -- not the solution.
>
> No.  The problem is badly written code.
>
> It takes me about 2 minutes to find bugs in security related software.
>
> I am assuming that I'm not the only person looking for these kinds of
> bugs.
>
> The REAL problem is software package maintainers who do not proactively
> audit their software.

It is also downright rude to maintainers, regardless of whether or not
they proactively audit.  Something can always be missed, and there is
no reason to open X number of systems up to an unknown bug before there
is any kind of a patch available.

If an exploit is being actively exploited, then YES, information should
be as widely disseminated as possible.  If one is picking through the
code and sees something funny that may be exploitable, it IS nothing more
than grandstanding when announced without a fix.  If someone can hack
code well enough to recognize flaws, they can hack out a preliminary
patch (esp. with free software, obviously the vendor should be given a
reasonable time period (note: 24 hours is not reasonable) with closed
source software) that can at least give people a heads up if the
maintainers choose to ignore it.

I thought everyone just wanted to make software more secure, not gain
the undying admiration of script kiddiez and d00dz everywhere.

It's NOT THAT HARD to send a bug report in to a maintainer.  When these
things come to BUGTRAQ they have to filter through secondhand to dev
teams, which is NOT the way to get secure software.  It only encourages
more exploitation of innocent systems.

I'm off-topic.  Sorry.

--
<http://www.psnw.com/~posterkid/keys/> for DSA/ElG-E/RSA keys
DSA 0x0A641AA5:0B1E 37B7 ECCB FC96 B6C6  7242 0A59 F8D5 EFA9 4F81
RSA 0x4E65C321: 42 57 B3 D2 39 8E 74 C3  5E 4D AC 43 25 D2 26 D4

Next message: Doug Granzow: "Re: OT: Copyright on Security advisories"
Previous message: Collin Chaffin: "Re: [NTSEC] Inherent weaknesses in NT System Policies"
Maybe in reply to: Anthony C . Zboralski: "[HERT] Advisory #002 Buffer overflow in lsof"
Next in thread: Greg Woods: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:31 PDT