Re: Solaris libc locale format string exploit

["van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>]

On Fri, 20 Oct 2000, Atro Tossavainen wrote:

> > On Sep 8, 2000 Warning3 posted an exploit for the Solaris
> > libc locale format string vulnerability. This was more than
> > a month ago.
> >
> > This bug has not been fixed yet. The Securityfocus vulnerability database
> > shows no patches for the locale bug on Solaris. Sun's website does not
> > even mention the existance of this bug.
>
> My local Sun rep told me on Oct 3 that they have fixes ready for all
> supported software releases and platforms and that evaluation patches
> would be sent to customers in a few days.
>
> Obviously not.
>
> I asked him again yesterday, with the response that the kernel update
> process for all supported software releases and platforms is rather
> tedious and lengthy, and that's why it's taking so long.

Couldn't they adopt a two-way strategy?

As soon as a fix is available and gone through basic testing then make it
available on request with a great disclaimer about the levelof test
performed.

Then when the whole circus has had their say and all QA steps are taken
revoke the tempfix and make the normal fix available.

So people have the choice between a certain problem which isn't fixed yet
or a fix that is possibly buggy.

An extremely long QA process does not hold well with modern day security
requirements. In my view this problem is a serious weakness with SUN.

Hugo.

--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)