Bugtraq mailing list archives

Re: [HERT] Advisory #002 Buffer overflow in lsof

From: spaf () CS PURDUE EDU (Gene Spafford)
Date: Thu, 18 Feb 1999 21:41:16 -0500

The REAL problem is software package maintainers who do not proactively
audit their software.


That some vendors miss problems, or that software in widespread legacy use is
suddenly found to be vulnerable to a flaw is still not a reason to widely
publish a description of a potential attack before the vendor is notified.

Yes, some software could be written better.  Yes, some vendors may do a poor
job of responding to reports.

Still, posting attacks or vulnerabilities that are in not in general
knowledge and are not being actively exploited and *before* the vendor has
been given a chance to respond is not being part of the solution.   It is
arrogance or showing off.

People who really want to improve security find ways to avoid hurting victims
and increase protection.   If there is a problem that is not known and not
under attack, notifying the vendor and waiting for a valid fix to appear is
not going to result in anyone being hurt.   Posting an exploit widely for a
previously unknown problem suddenly opens up all the current users to attack.

That there is (perhaps) a problem in assurance does not forgive this problem.
 Two wrongs do not make a right.

Current thread:

Re: ICQ99 crash, (continued)
- - - Re: ICQ99 crash Timothy Doane (Feb 16)
    - Website Pro v2.0 (NT) Configuration Issues Christian Antkow (Feb 16)
    - [HERT] Advisory #002 Buffer overflow in lsof Anthony C . Zboralski (Feb 17)
    - [SECURITY] New versions of super fixes two buffer overflows joey () FINLANDIA INFODROM NORTH DE (Feb 18)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Vic Abell (Feb 18)
    - Tetrix 1.13.16 is Vulnerable Steven Hodges (Feb 17)
    - Re: Tetrix 1.13.16 is Vulnerable Pavel Machek (Feb 19)
    - ADMsnmp SNMP Audit scanner root (Feb 17)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Theo de Raadt (Feb 18)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
    - IE0199.exe uninstaller David Brumley (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Weld Pond (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Valdis.Kletnieks () VT EDU (Feb 19)
    - Plaintext Password in Tractive's Remote Manager Software Trevor Gryffyn (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Peter W (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof John DiMarco (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof brian j pardy (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Greg Woods (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof route () RESENTMENT INFONEXUS COM (Feb 18)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Fred W. Noltie Jr. (Feb 19)

(Thread continues...)