funsec mailing list archives
Re: Scan This Guy's E-Passport and Watch Your System Crash
From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 01 Aug 2007 21:32:25 +0200
The answer, of course, is that it depends. ;-)
Yeah.
When it comes to buffer overflows, I think the best course of action is to assume that an overflow error is always exploitable and just fix it.
If it's in managed code, and it's not a networked, multi-tasked code, it should still be fairly safe. "Don't do it, then" is often a sufficient remedy. OTOH, passport readers tend to be components of large, real-world systems and processes, and repeated failures in some circumstances might have interesting, exploitable side effects at a very high level. (Think about disabling a burglar alarm by repeatedly triggering false alarms.) And let's not forget the PR angle--someone has certified that the software does not contain such errors. Who knows what else they have missed. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Scan This Guy's E-Passport and Watch Your System Crash 'Richard M. Smith' (Aug 01)
- RE: Scan This Guy's E-Passport and Watch Your System Crash Larry Seltzer (Aug 01)
- RE: Scan This Guy's E-Passport and Watch Your System Crash rms (Aug 01)
- Re: Scan This Guy's E-Passport and Watch Your System Crash Florian Weimer (Aug 01)
- RE: Scan This Guy's E-Passport and Watch Your System Crash Gadi Evron (Aug 05)
- RE: Scan This Guy's E-Passport and Watch Your System Crash rms (Aug 01)
- RE: Scan This Guy's E-Passport and Watch Your System Crash Larry Seltzer (Aug 01)