Bugtraq mailing list archives

Re: [HERT] Advisory #002 Buffer overflow in lsof

From: posterkid () psnw com (brian j pardy)
Date: Fri, 19 Feb 1999 12:39:47 -0800


On Thu, 18 Feb 1999, Theo de Raadt wrote:

People who publish bugs/exploits that are not being actively exploited
*before* giving the vendor a chance to fix the flaws are clearly
grandstanding.  They're part of the problem -- not the solution.


No.  The problem is badly written code.

It takes me about 2 minutes to find bugs in security related software.

I am assuming that I'm not the only person looking for these kinds of
bugs.

The REAL problem is software package maintainers who do not proactively
audit their software.


It is also downright rude to maintainers, regardless of whether or not
they proactively audit.  Something can always be missed, and there is
no reason to open X number of systems up to an unknown bug before there
is any kind of a patch available.

If an exploit is being actively exploited, then YES, information should
be as widely disseminated as possible.  If one is picking through the
code and sees something funny that may be exploitable, it IS nothing more
than grandstanding when announced without a fix.  If someone can hack
code well enough to recognize flaws, they can hack out a preliminary
patch (esp. with free software, obviously the vendor should be given a
reasonable time period (note: 24 hours is not reasonable) with closed
source software) that can at least give people a heads up if the
maintainers choose to ignore it.

I thought everyone just wanted to make software more secure, not gain
the undying admiration of script kiddiez and d00dz everywhere.

It's NOT THAT HARD to send a bug report in to a maintainer.  When these
things come to BUGTRAQ they have to filter through secondhand to dev
teams, which is NOT the way to get secure software.  It only encourages
more exploitation of innocent systems.

I'm off-topic.  Sorry.

--
<http://www.psnw.com/~posterkid/keys/> for DSA/ElG-E/RSA keys
DSA 0x0A641AA5:0B1E 37B7 ECCB FC96 B6C6  7242 0A59 F8D5 EFA9 4F81
RSA 0x4E65C321: 42 57 B3 D2 39 8E 74 C3  5E 4D AC 43 25 D2 26 D4

Current thread:

ADMsnmp SNMP Audit scanner, (continued)
- - - ADMsnmp SNMP Audit scanner root (Feb 17)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Theo de Raadt (Feb 18)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
    - IE0199.exe uninstaller David Brumley (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Weld Pond (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Valdis.Kletnieks () VT EDU (Feb 19)
    - Plaintext Password in Tractive's Remote Manager Software Trevor Gryffyn (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Peter W (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof John DiMarco (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof brian j pardy (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Greg Woods (Feb 19)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof route () RESENTMENT INFONEXUS COM (Feb 18)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Fred W. Noltie Jr. (Feb 19)
    - Call to politeness (Re: [HERT] Advisory #002 Buffer overflow in alecm (Feb 19)
    - pine 4.10 patches (similar to 4.05) GvS (Feb 20)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof M.C.Mar (Feb 20)
    - full disclosure and vendor education Antonomasia (Feb 20)
    - Re: [HERT] Advisory #002 Buffer overflow in lsof Lamont Granquist (Feb 18)
  - Win98 Buffer Overflow (File attached) Scott (Feb 14)