Full Disclosure mailing list archives
Re: Internet has vuln.
From: Justin Ferguson <jf () ownco net>
Date: Fri, 13 Sep 2013 15:30:37 -0400
derp, strike the part about steve wray v jeff walton; everything else remains valid. On Fri, Sep 13, 2013 at 3:28 PM, Jeffrey Walton <noloader () gmail com> wrote:
On Fri, Sep 13, 2013 at 2:45 PM, <Valdis.Kletnieks () vt edu> wrote:On Thu, 12 Sep 2013 18:23:53 -0400, Jeffrey Walton said:They ignored my comments on fixed size arrays based on MAX_PATH and the subsequent overflows and silent truncations due to use of sprintf and snprintf....Which "they" was it? If you're referring to this: http://comments.gmane.org/gmane.comp.security.selinux/16844There were many more than just that one.Note that the guy you were replying to was a Japanese software engineer employed by NEC. If you want to argue the guy was an NSA plant trying to get a backdoor in, feel free. But don't expect to be taken seriously without some additional evidence.The code was accepted into the projectAnd it counted as "underhanded", how, exactly?I did not claim that.In other words - under what conditions can you make a truncation to MAX_PATH cause an actual hole? And to count as "underhanded" rather than merely "buggy", you'd need at least a whiff of evidence that it was intentional.What's the difference if its exploitable in practice? There's no need to consciously add backdoors when developers are checking in shit code. They serve the same purpose add add a level of deniability.Or as Kohei replied to you: "The selinux_mnt is not a variable given by external one, unless application does not update it by itself. It is not difficult to modify this part to return ENAMETOOLONG when snprintf() returns larger or equal with PATH_MAX." In the Linux community, this would count as '-ENOPATCH', as I'm not finding where you ever submitted a patch to fix the issue.The more eyes the better, right.... Crowd sourcing security is a myth. Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Internet has vuln., (continued)
- Re: Internet has vuln. coderman (Sep 11)
- Re: Internet has vuln. coderman (Sep 11)
- Re: Internet has vuln. Steve Wray (Sep 12)
- Re: Internet has vuln. coderman (Sep 12)
- Re: Internet has vuln. coderman (Sep 12)
- Re: Internet has vuln. Valdis . Kletnieks (Sep 12)
- Re: Internet has vuln. Jeffrey Walton (Sep 12)
- Re: Internet has vuln. Valdis . Kletnieks (Sep 13)
- Re: Internet has vuln. Justin Ferguson (Sep 13)
- Re: Internet has vuln. Jeffrey Walton (Sep 13)
- Re: Internet has vuln. Justin Ferguson (Sep 13)
- Re: Internet has vuln. coderman (Sep 11)
- Re: Internet has vuln. coderman (Sep 11)
- Re: Internet has vuln. Tracy Reed (Sep 13)
- Re: Internet has vuln. Steve Wray (Sep 14)