[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: The Cult of a Cardinal Number



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>A cc of this email to security@xxxxxxxxxxx would have been
appreciated
>if you felt the need not to give any prior warning to the team so
>problematic versions could be removed from the ftp archives and/or
>patched.
>
>    Mark Lowes
>
>--
>Mark Lowes <hamster@xxxxxxxxxxx>
>

Certainly, this is a reasonable request. But it has to be said that I
had
the distinct impression that the 'team' was already aware of the
problems surrounding xlate_ascii_write(), and were merely inclined to

ignore the (perhaps) insignificant percentage of the ProFTPD user base

that had not yet updated to 1.2.9. My justification lies in the resolution

of Bug#2200 which included the clean up of xlate_ascii_write() that saw

these overflows fixed. Castaglia writes in revision 1.69's log message:


"Bug#2200 - Correct segfaults with xlate_ascii_write on IRIX. Some of

the last of the remainding code (whose I understood only partially, such

as the session.xfer.buf++ increment) is now removed, as well as a
potentially dangerous NUL-termination statement."

This leaves me with two possible scenarios. Firstly, castaglia reads

Jesse Sipprell's bug report and without fully understanding the problem

commits the provided patch. Or secondly, castaglia reads Jesse
Sipprell's bug report and realises the possible ramifications of the

highlighted issues, deciding to silently patch them under the guise of

'IRIX segfaults' rather than endure the publicity of yet another
exploitable buffer overflow in his pet project (just days after the ISS

release).

There may be arguments for both accounts, but lets give castaglia
some credit. He knows what he's doing, and I believe that he knew
exactly what the issues meant. Would you mark code as "potentially
dangerous" yet not investigate the matter further to find the complete

implications it may have on your user base? Would anyone?

Love,
Phantasmal Phantasmagoria
phantasmal@xxxxxxx


-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkBG2xwACgkQImcz/hfgxg3IFACcCvX0oVJHTb15/utdELoaeD00/AsA
oKfFXp4Vfp6MzlED2OvjT/ebA+78
=4zFn
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html