Bugtraq mailing list archives

Re: NT RPC Hotfix

From: volobuev () t1 chem umn edu (Yuri Volobuev)
Date: Fri, 24 Jan 1997 15:00:46 -0600

deside which companies survive and which don't. I also know that when a
bug comes out that a workaround can commonly be done in a few hours, and I


An off-topic note.  I'm not doing programming for living, so I'm not an
authority, but I want to say that I totally agree with above statement.
There are very few bugs that require some serious changes to the code.  Most
common ones are very easy to fix, and it's usually a no-brainer.

One of the reasons Unix (and other) vendors give when the patch takes
forever to get through is "extensive testing".  I don't want to make blanket
statements, but look at an example.  Some of you may remember "happy end"
netprint story (for those who don't: there was a root hole in netprint
program, part of Irix.  I reported problem to SGI, but didn't go public, for
testing purposes.  In about a month, a patch was released).  They took their
time to make that patch.  AUSCERT folks proposed putting in a wrapper, which
would neutralize the problem, but I insisted that because of the complexity
of the problem it's better to wait for a real patch, wrapper may screw
something up.  Well, that's what being young and unexperienced is all about,
blindly believing in something one should never believe in.  I thought that
since patch is from SGI, and thay got time to test it, it should work, so I
didn't even bother testing it myself, and went on with New Year celebration.
Guess what: the patch breaks entire printing thing.  Simple as that.  On all
my Irix 5.3 boxes netprint, when invoked _by_ lp, complains that it should
be run by lp and quits.  So I ended up putting a wrapper in place that calls
real netprint as root.  May be I've done something stupid myself, but I
don't think so.

Morale?  Month worth of waiting was basically wasted.  The fact that vendor
has time to test something doesn't mean anything.  So "hot" fixes and
"carefully tested" fixes don't differ so much, on an average.

yuri
Always speaking for myself and only for myself

Current thread:

NT RPC Hotfix Aleph One (Jan 23)
- Re: NT RPC Hotfix dsiebert () icaen uiowa edu (Jan 23)
- AOL client port and possible security risk. Sami A. Yousif (Jan 23)
- Re: NT RPC Hotfix Darren Reed (Jan 24)
- <Possible follow-ups>
- Re: NT RPC Hotfix Brad.Powell (Jan 24)
  - Re: NT RPC Hotfix Yuri Volobuev (Jan 24)
  - GNU tar vulnerability Ben Elliston (Jan 24)
  - [NTSEC] NT vulnerable to DOS attack on more than just port 135 Bob Beck (Jan 25)