Secure Coding mailing list archives

Interesting tidbit in iDefense Security Advisory 06.26.07

From: Kevin.Wall at qwest.com (Wall, Kevin)
Date: Tue, 26 Jun 2007 16:25:05 -0500

Ken,

You wrote...

Mind you, the overrun can only be exploited when specific characters  
are used as input to the loop in the code.  Thus, I'm inclined to  
think that this is an interesting example of a bug that would have  
been extraordinarily difficult to find using black box testing, even  
fuzzing.
<...deleted...>
The iDefense team doesn't say how the (anonymous) person  
who reported it found it, but I for one would be really curious to  
hear that story.


Reading from the iDefense security advisory on this, it says:

  IV. DETECTION

  iDefense has confirmed the existence of this vulnerability in version
  10.5-GOLD of RealNetworks' RealPlayer and HelixPlayer. Confirmation of
  the existence this vulnerability within HelixPlayer was done via
SOURCE
  CODE REVIEW. Older versions are assumed to be vulnerable. 

(Emphasis mine.)

So looks like it was discovered manually, possibly with the aid of a
static source code analyzer that ignores Flawfinder comments.
Apparently,
you missed that because of your jet lag. ;-)

The sad thing is that based on the documented "Disclosure Timeline", it
seems that almost 8 full months have past since the vendor
(RealNetworks)
responded with a fix. I mean, was the fix really rocket science that it
had to take THAT LONG??? IMHO, no excuse for taking that long.

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall at qwest.com Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

Current thread:

Interesting tidbit in iDefense Security Advisory 06.26.07 Kenneth Van Wyk (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Steven M. Christey (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Wall, Kevin (Jun 26)
  - Interesting tidbit in iDefense Security Advisory 06.26.07 Paco Hope (Jun 26)
    - Interesting tidbit in iDefense Security Advisory 06.26.07 Steven M. Christey (Jun 26)
  - The Next Frontier McGovern, James F (HTSC, IT) (Jun 26)
    - The Next Frontier Paco Hope (Jun 27)
    - The Next Frontier ljknews (Jun 27)
    - The Next Frontier Steven M. Christey (Jun 27)
    - The Next Frontier McGovern, James F (HTSC, IT) (Jun 28)
- Interesting tidbit in iDefense Security Advisory 06.26.07 J. M. Seitz (Jun 26)
  - Interesting tidbit in iDefense Security Advisory 06.26.07 Leichter, Jerry (Jun 27)
    - Comparing Software Vendors McGovern, James F (HTSC, IT) (Jun 28)

(Thread continues...)