Bugtraq mailing list archives
Re: Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp
From: Chris Evans <chris () SCARY BEASTS ORG>
Date: Sun, 1 Oct 2000 23:17:10 +0100
On Sat, 30 Sep 2000, Paul Murphy wrote:
Unless Chris can show that one of these variables can be influenced in some way which causes a security problem, its a non-issue. Without proving that such a problem exists, its worse than identifying a real security problem, since it maligns software which is actually pretty well written, and may cause a loss of confidence in it.
It is most certainly not a non-issue. It's an "alertness" thing, not an exploitability thing. The presence of these format string bugs shows a lack of security alertness, regardless of whether or not these specific instances are exploitable. I want to be using software on my servers which has vendors/teams who actively monitor new potential threats, and quickly respond to them, plus send notification out. To be honest, very few people seem to be responding adequately to the format strings threat. OpenBSD are the exception, of course ;-) Cheers Chris
Current thread:
- Re: Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp Paul Murphy (Sep 30)
- Re: Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp Chris Evans (Oct 01)