oss-sec mailing list archives
Re: pinocchio tmp vuln
From: John Haxby <john.haxby () oracle com>
Date: Tue, 09 Sep 2014 17:39:36 +0100
On 09/09/14 09:34, Steve Kemp wrote:
I'm sure lots of modules exist created by inexperienced developers who haven't considered the implications of posting new code libraries.
We see lots of people making the same mistakes over and over again. Apart from the obvious newbie mistakes of failing to create proper temporary directories, we also get things like the slightly more subtle shipping a "secure" web server with a fixed self-signed cert. Or copying a user-supplied string into a MAXPATH+1 buffer because that's long enough for any pathname. Or ... I don't need to go on, we've all seen them and Kurt highlighting problems is all goodness because at least it gets people thinking a bit more about security. And we will need that because there are so many devices hitting the streets with so many noob vulns that it's only a matter of time before someone is killed. jch
Current thread:
- pinocchio tmp vuln Kurt Seifried (Sep 08)
- Re: pinocchio tmp vuln David Jorm (Sep 08)
- Re: pinocchio tmp vuln Mikko Korpela (Sep 09)
- Re: pinocchio tmp vuln Steve Kemp (Sep 09)
- Re: pinocchio tmp vuln Mikko Korpela (Sep 09)
- Re: pinocchio tmp vuln Henri Salo (Sep 09)
- Re: pinocchio tmp vuln Kurt Seifried (Sep 09)
- Re: pinocchio tmp vuln Donald Stufft (Sep 11)
- Re: pinocchio tmp vuln Mikko Korpela (Sep 09)
- Re: pinocchio tmp vuln John Haxby (Sep 09)
- Re: pinocchio tmp vuln Mikko Korpela (Sep 09)
- Re: pinocchio tmp vuln John Haxby (Sep 11)
- Re: pinocchio tmp vuln Kurt Seifried (Sep 11)
- Re: pinocchio tmp vuln Kurt Seifried (Sep 11)
- Re: pinocchio tmp vuln Mikko Korpela (Sep 11)
- Re: pinocchio tmp vuln David Jorm (Sep 08)