Re: Interesting (?) bug

["Rhys Kidd" <rhyskidd () gmail com>]

On 29/05/07, Chris Anley <chris () ngssoftware com> wrote:
> In fact, it appears to have been 'revealed' by the fix to this issue in
> 2005. So I guess maybe I just reviewed vpnd at a propitious time? Then
> again, 2 years is a while, right?
>
> Cheers,
>
>     -chris.
Apple really haven't managed to lever the value in open source secure code
review. I remember their "Open Directory" aka. OpenLDAP was woefully
out-of-date with upstream for a number of years. Best example was the
assert( 0 ) bug that had been fixed approximately 1.5 years previously in
OpenLDAP.

I'm sure if some one on this list had a spare week, and simply compared the
version from Apple OpenSource and the most up-to-date public release they're
be a few easy to spot bugs to garner a claim to fame. I hope Apple's recent
hires in Security Engineering can turn the ship around.

Rhys

BTW: To anyone else who has reviewed the OpenLDAP code, did it also strike
you as source code that was hard to follow with their formatting, and likely
to contain a few more DoS bugs due to liberal use of assert()'s in
non-debug?

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave