Secure Coding mailing list archives
Interesting tidbit in iDefense Security Advisory 06.26.07
From: Kevin.Wall at qwest.com (Wall, Kevin)
Date: Tue, 26 Jun 2007 16:25:05 -0500
Ken, You wrote...
Mind you, the overrun can only be exploited when specific characters are used as input to the loop in the code. Thus, I'm inclined to think that this is an interesting example of a bug that would have been extraordinarily difficult to find using black box testing, even fuzzing. <...deleted...> The iDefense team doesn't say how the (anonymous) person who reported it found it, but I for one would be really curious to hear that story.
Reading from the iDefense security advisory on this, it says: IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 10.5-GOLD of RealNetworks' RealPlayer and HelixPlayer. Confirmation of the existence this vulnerability within HelixPlayer was done via SOURCE CODE REVIEW. Older versions are assumed to be vulnerable. (Emphasis mine.) So looks like it was discovered manually, possibly with the aid of a static source code analyzer that ignores Flawfinder comments. Apparently, you missed that because of your jet lag. ;-) The sad thing is that based on the documented "Disclosure Timeline", it seems that almost 8 full months have past since the vendor (RealNetworks) responded with a fix. I mean, was the fix really rocket science that it had to take THAT LONG??? IMHO, no excuse for taking that long. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
Current thread:
- Interesting tidbit in iDefense Security Advisory 06.26.07 Kenneth Van Wyk (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Steven M. Christey (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Wall, Kevin (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Paco Hope (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Steven M. Christey (Jun 26)
- The Next Frontier McGovern, James F (HTSC, IT) (Jun 26)
- The Next Frontier Paco Hope (Jun 27)
- The Next Frontier ljknews (Jun 27)
- The Next Frontier Steven M. Christey (Jun 27)
- The Next Frontier McGovern, James F (HTSC, IT) (Jun 28)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Paco Hope (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Leichter, Jerry (Jun 27)
- Comparing Software Vendors McGovern, James F (HTSC, IT) (Jun 28)