[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] How not to deal with a vulnerability in your code

To: Manfred Schmitt <full-disclosure@xxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] How not to deal with a vulnerability in your code
From: Jeffrey Walton <noloader@xxxxxxxxx>
Date: Sun, 6 Nov 2011 05:11:09 -0500

On Sun, Nov 6, 2011 at 1:10 AM, Manfred Schmitt
<full-disclosure@xxxxxxxxxxxxx> wrote:
> Jeremy Visser schrieb:
>
>> On 05/11/2011, at 18:24, Leon Kaiser wrote:
>> > sudo apt-get remove calibre
>> [...]
>> Ubuntu has already had the bug fixed, because they use a safe udev-based 
>> hook. The vulnerability only applies to those who have installed Calibre 
>> from source. So "apt-get remove calibre" is a pretty naïve comment to make, 
>> but you couldn't resist the bashing, could you?
>
> The thread on launchpad clearly shows (at least for me) that the developer
> has absolutely no clue about security, so imo the way to go is, even if
> there are no local root exploits anymore (in upstream), to uninstall it.
> I'm not that adventurous to wait until it deletes all my user files
> because he (Maybe, I haven't looked at the source) also reinvented rm ;)
RMS has an interesting position on free software and security. Given a
choice, Stallman would rather see free software used even if its not
secure (so I've been told):

    RMS has been quite open about it on several
    occasions when push came to shove: it was more
    important that GNU systems use free software than
    that they be secure [1]

calibre is not an isolated case (Kovid did look like an ass when he
blew off Rosenberg). Mailman has been storing plain text/reversible
pass words for years [2]. Debian and friends supply a ressed(8) which
fetches random data over HTTP and uses it to reseed the kernel's PRNG
[3]. It goes on and on.

After GNU's Savannah was hacked, I tried to get security related items
to the GNU coding/style guide [4]. I did not even receive a reply from
the folks in Massachusetts.

Be wary of open source and free software - you get what you pay for.
And its not even really free: take a look at GPL V3. Apparently,
Stallman encumbered it to set it free (???).

Jeff

[1] http://mail.python.org/pipermail/mailman-users/2011-November/072462.html
[2] http://mail.python.org/pipermail/mailman-users/2011-November/072445.html
[3] https://bugs.launchpad.net/ubuntu/+source/reseed/+bug/804594
[4] https://www.gnu.org/prep/standards/standards.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] How not to deal with a vulnerability in your code
  - From: Laurelai
- Re: [Full-disclosure] How not to deal with a vulnerability in your code
  - From: Leon Kaiser
- Re: [Full-disclosure] How not to deal with a vulnerability in your code
  - From: Jeremy Visser
- Re: [Full-disclosure] How not to deal with a vulnerability in your code
  - From: Manfred Schmitt

Prev by Date: Re: [Full-disclosure] How not to deal with a vulnerability in your code
Next by Date: [Full-disclosure] Strictly social XSS vulnerability in WordPress
Previous by thread: Re: [Full-disclosure] How not to deal with a vulnerability in your code
Next by thread: Re: [Full-disclosure] How not to deal with a vulnerability in your code
Index(es):
- Date
- Thread