Bugtraq mailing list archives
Re: [HERT] Advisory #002 Buffer overflow in lsof
From: posterkid () psnw com (brian j pardy)
Date: Fri, 19 Feb 1999 12:39:47 -0800
On Thu, 18 Feb 1999, Theo de Raadt wrote:
People who publish bugs/exploits that are not being actively exploited *before* giving the vendor a chance to fix the flaws are clearly grandstanding. They're part of the problem -- not the solution.No. The problem is badly written code. It takes me about 2 minutes to find bugs in security related software. I am assuming that I'm not the only person looking for these kinds of bugs. The REAL problem is software package maintainers who do not proactively audit their software.
It is also downright rude to maintainers, regardless of whether or not they proactively audit. Something can always be missed, and there is no reason to open X number of systems up to an unknown bug before there is any kind of a patch available. If an exploit is being actively exploited, then YES, information should be as widely disseminated as possible. If one is picking through the code and sees something funny that may be exploitable, it IS nothing more than grandstanding when announced without a fix. If someone can hack code well enough to recognize flaws, they can hack out a preliminary patch (esp. with free software, obviously the vendor should be given a reasonable time period (note: 24 hours is not reasonable) with closed source software) that can at least give people a heads up if the maintainers choose to ignore it. I thought everyone just wanted to make software more secure, not gain the undying admiration of script kiddiez and d00dz everywhere. It's NOT THAT HARD to send a bug report in to a maintainer. When these things come to BUGTRAQ they have to filter through secondhand to dev teams, which is NOT the way to get secure software. It only encourages more exploitation of innocent systems. I'm off-topic. Sorry. -- <http://www.psnw.com/~posterkid/keys/> for DSA/ElG-E/RSA keys DSA 0x0A641AA5:0B1E 37B7 ECCB FC96 B6C6 7242 0A59 F8D5 EFA9 4F81 RSA 0x4E65C321: 42 57 B3 D2 39 8E 74 C3 5E 4D AC 43 25 D2 26 D4
Current thread:
- ADMsnmp SNMP Audit scanner, (continued)
- ADMsnmp SNMP Audit scanner root (Feb 17)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Theo de Raadt (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
- IE0199.exe uninstaller David Brumley (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Weld Pond (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Valdis.Kletnieks () VT EDU (Feb 19)
- Plaintext Password in Tractive's Remote Manager Software Trevor Gryffyn (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Peter W (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof John DiMarco (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof brian j pardy (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Greg Woods (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof route () RESENTMENT INFONEXUS COM (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Fred W. Noltie Jr. (Feb 19)
- Call to politeness (Re: [HERT] Advisory #002 Buffer overflow in alecm (Feb 19)
- pine 4.10 patches (similar to 4.05) GvS (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof M.C.Mar (Feb 20)
- full disclosure and vendor education Antonomasia (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Lamont Granquist (Feb 18)