Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [HERT] Advisory #002 Buffer overflow in lsof

From: jdd () CS TORONTO EDU (John DiMarco)
Date: Fri, 19 Feb 1999 14:17:14 -0500

In message <199902190011.RAA26284 () cvs openbsd org>you write:

People who publish bugs/exploits that are not being actively exploited
*before* giving the vendor a chance to fix the flaws are clearly
grandstanding.  They're part of the problem -- not the solution.


No.  The problem is badly written code.

...

The REAL problem is software package maintainers who do not proactively
audit their software.


Theo and Gene are both right.  The original problem is badly written code.
But telling everybody except the author about it compounds the problem,
at least in the short term, by helping exploiters win the bugfix race.

Authors who write security-sensitive code should audit it carefully for
security holes.  But if someone else finds a hole the author missed, _please_
tell the author right away so (s)he can fix it.  It's not only the courteous
thing to do, it's often the best and quickest way to eliminate the bug,
which is what we all want to see.

If an author isn't responsive, that's another matter.

Further, I find the most useful BUGTRAQ postings to be ones that focus not
only on the problem, but outline appropriate fixes too; co-operation with the
author, if possible, is often the best way to put together fixes that make
sense.

Regards,

John
--
John DiMarco <jdd () cs toronto edu>                         Office: SF2101
CSLab Systems Manager                                     Phone: 416-978-5300
University of Toronto                                     Fax:   416-978-1931
http://www.cs.toronto.edu/~jdd
Previous By Date Next
Previous By Thread Next

Current thread: