[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Internet has vuln.

To: noloader@xxxxxxxxx
Subject: Re: [Full-disclosure] Internet has vuln.
From: Justin Ferguson <jf@xxxxxxxxx>
Date: Fri, 13 Sep 2013 15:30:37 -0400

derp, strike the part about steve wray v jeff walton; everything else
remains valid.

On Fri, Sep 13, 2013 at 3:28 PM, Jeffrey Walton <noloader@xxxxxxxxx> wrote:
> On Fri, Sep 13, 2013 at 2:45 PM,  <Valdis.Kletnieks@xxxxxx> wrote:
>> On Thu, 12 Sep 2013 18:23:53 -0400, Jeffrey Walton said:
>>
>>> They ignored my comments on fixed size arrays based on MAX_PATH and
>>> the subsequent overflows and silent truncations due to use of sprintf
>>> and snprintf....
>>
>> Which "they" was it?
>>
>> If you're referring to this:
>>
>> http://comments.gmane.org/gmane.comp.security.selinux/16844
> There were many more than just that one.
>
>> Note that the guy you were replying to was a Japanese software engineer
>> employed by NEC.  If you want to argue the guy was an NSA plant trying to 
>> get a
>> backdoor in, feel free. But don't expect to be taken seriously without some
>> additional evidence.
> The code was accepted into the project
>> And it counted as "underhanded", how, exactly?
> I did not claim that.
>
>> In other words - under what conditions can you make a truncation to MAX_PATH
>> cause an actual hole? And to count as "underhanded" rather than merely 
>> "buggy",
>> you'd need at least a whiff of evidence that it was intentional.
> What's the difference if its exploitable in practice?
>
> There's no need to consciously add backdoors when developers are
> checking in shit code. They serve the same purpose add add a level of
> deniability.
>
>> Or as Kohei replied to you:
>>
>> "The selinux_mnt is not a variable given by external one, unless
>> application does not update it by itself.
>>
>> It is not difficult to modify this part to return ENAMETOOLONG
>> when snprintf() returns larger or equal with PATH_MAX."
>>
>> In the Linux community, this would count as '-ENOPATCH', as I'm not
>> finding where you ever submitted a patch to fix the issue.
> The more eyes the better, right....
>
> Crowd sourcing security is a myth.
>
> Jeff
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Internet has vuln.
  - From: coderman
- Re: [Full-disclosure] Internet has vuln.
  - From: coderman
- Re: [Full-disclosure] Internet has vuln.
  - From: coderman
- Re: [Full-disclosure] Internet has vuln.
  - From: Steve Wray
- Re: [Full-disclosure] Internet has vuln.
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Internet has vuln.
  - From: Jeffrey Walton
- Re: [Full-disclosure] Internet has vuln.
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Internet has vuln.
  - From: Jeffrey Walton

Prev by Date: Re: [Full-disclosure] Internet has vuln.
Next by Date: Re: [Full-disclosure] Internet has vuln.
Previous by thread: Re: [Full-disclosure] Internet has vuln.
Next by thread: Re: [Full-disclosure] Internet has vuln.
Index(es):
- Date
- Thread