Full Disclosure mailing list archives

Re: Internet has vuln.

From: Justin Ferguson <jf () ownco net>
Date: Fri, 13 Sep 2013 15:30:37 -0400

derp, strike the part about steve wray v jeff walton; everything else
remains valid.

On Fri, Sep 13, 2013 at 3:28 PM, Jeffrey Walton <noloader () gmail com> wrote:

On Fri, Sep 13, 2013 at 2:45 PM,  <Valdis.Kletnieks () vt edu> wrote:

On Thu, 12 Sep 2013 18:23:53 -0400, Jeffrey Walton said:

They ignored my comments on fixed size arrays based on MAX_PATH and
the subsequent overflows and silent truncations due to use of sprintf
and snprintf....


Which "they" was it?

If you're referring to this:

http://comments.gmane.org/gmane.comp.security.selinux/16844

There were many more than just that one.

Note that the guy you were replying to was a Japanese software engineer
employed by NEC.  If you want to argue the guy was an NSA plant trying to get a
backdoor in, feel free. But don't expect to be taken seriously without some
additional evidence.

The code was accepted into the project

And it counted as "underhanded", how, exactly?

I did not claim that.

In other words - under what conditions can you make a truncation to MAX_PATH
cause an actual hole? And to count as "underhanded" rather than merely "buggy",
you'd need at least a whiff of evidence that it was intentional.

What's the difference if its exploitable in practice?

There's no need to consciously add backdoors when developers are
checking in shit code. They serve the same purpose add add a level of
deniability.

Or as Kohei replied to you:

"The selinux_mnt is not a variable given by external one, unless
application does not update it by itself.

It is not difficult to modify this part to return ENAMETOOLONG
when snprintf() returns larger or equal with PATH_MAX."

In the Linux community, this would count as '-ENOPATCH', as I'm not
finding where you ever submitted a patch to fix the issue.

The more eyes the better, right....

Crowd sourcing security is a myth.

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Internet has vuln., (continued)
- Re: Internet has vuln. coderman (Sep 11)
  - Re: Internet has vuln. coderman (Sep 11)
    - Re: Internet has vuln. Steve Wray (Sep 12)
    - Re: Internet has vuln. coderman (Sep 12)
    - Re: Internet has vuln. coderman (Sep 12)
    - Re: Internet has vuln. Valdis . Kletnieks (Sep 12)
    - Re: Internet has vuln. Jeffrey Walton (Sep 12)
    - Re: Internet has vuln. Valdis . Kletnieks (Sep 13)
    - Re: Internet has vuln. Justin Ferguson (Sep 13)
    - Re: Internet has vuln. Jeffrey Walton (Sep 13)
    - Re: Internet has vuln. Justin Ferguson (Sep 13)
    - Re: Internet has vuln. Tracy Reed (Sep 13)
    - Re: Internet has vuln. Steve Wray (Sep 14)
- Re: Internet has vuln. Georgi Guninski (Sep 12)
- Re: Internet has vuln. Marcio B. Jr. (Sep 13)