[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
- To: Florian Weimer <fw@xxxxxxxxxxxxx>
- Subject: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
- From: Casper.Dik@xxxxxxx
- Date: Tue, 28 Mar 2006 09:36:32 +0200
>* Theo de Raadt:
>
>> What if we ignore your procedures? What if we say no?
>
>You won't be told about bugs in the code you write. It's as simple as
>that.
>
>But I don't quite understand why Gadi is so thoroughly offended by the
>way how this vulnerability has been handled so far. The patches might
>be obscure, but at least there are official patches for older
>versions, too. And there is an official advisory. It could be far
>worse. The programmers of a rather popular kernel do not publish
>advisories at all, for instance.
I don't quite understand the complaints about "obscure" patches;
intricate bugs require elaborate patches; it's not a one line
sprintf->snprintf change that is easy to understand.
Because of the way the bug was addressed, ripping out setjmp/longjmp,
a lot of change is needed which is not immediately obvious.
But such is the nature of complicated bug fixes; sometimes one also needs
to rewrite parts in a more natural way or code will become increasingly
"patchy" and less maintainable.
Casper