Bugtraq mailing list archives
Re: [HERT] Advisory #002 Buffer overflow in lsof
From: jdd () CS TORONTO EDU (John DiMarco)
Date: Fri, 19 Feb 1999 14:17:14 -0500
In message <199902190011.RAA26284 () cvs openbsd org>you write:
People who publish bugs/exploits that are not being actively exploited *before* giving the vendor a chance to fix the flaws are clearly grandstanding. They're part of the problem -- not the solution.No. The problem is badly written code.
...
The REAL problem is software package maintainers who do not proactively audit their software.
Theo and Gene are both right. The original problem is badly written code. But telling everybody except the author about it compounds the problem, at least in the short term, by helping exploiters win the bugfix race. Authors who write security-sensitive code should audit it carefully for security holes. But if someone else finds a hole the author missed, _please_ tell the author right away so (s)he can fix it. It's not only the courteous thing to do, it's often the best and quickest way to eliminate the bug, which is what we all want to see. If an author isn't responsive, that's another matter. Further, I find the most useful BUGTRAQ postings to be ones that focus not only on the problem, but outline appropriate fixes too; co-operation with the author, if possible, is often the best way to put together fixes that make sense. Regards, John -- John DiMarco <jdd () cs toronto edu> Office: SF2101 CSLab Systems Manager Phone: 416-978-5300 University of Toronto Fax: 416-978-1931 http://www.cs.toronto.edu/~jdd
Current thread:
- Re: Tetrix 1.13.16 is Vulnerable, (continued)
- Re: Tetrix 1.13.16 is Vulnerable Pavel Machek (Feb 19)
- ADMsnmp SNMP Audit scanner root (Feb 17)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Theo de Raadt (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
- IE0199.exe uninstaller David Brumley (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Weld Pond (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Valdis.Kletnieks () VT EDU (Feb 19)
- Plaintext Password in Tractive's Remote Manager Software Trevor Gryffyn (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Peter W (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof John DiMarco (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof brian j pardy (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Greg Woods (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof route () RESENTMENT INFONEXUS COM (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Fred W. Noltie Jr. (Feb 19)
- Call to politeness (Re: [HERT] Advisory #002 Buffer overflow in alecm (Feb 19)
- pine 4.10 patches (similar to 4.05) GvS (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof M.C.Mar (Feb 20)
- full disclosure and vendor education Antonomasia (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Lamont Granquist (Feb 18)