Full Disclosure mailing list archives
Re: Internet has vuln.
From: Valdis.Kletnieks () vt edu
Date: Fri, 13 Sep 2013 14:45:54 -0400
On Thu, 12 Sep 2013 18:23:53 -0400, Jeffrey Walton said:
They ignored my comments on fixed size arrays based on MAX_PATH and the subsequent overflows and silent truncations due to use of sprintf and snprintf....
Which "they" was it? If you're referring to this: http://comments.gmane.org/gmane.comp.security.selinux/16844 Note that the guy you were replying to was a Japanese software engineer employed by NEC. If you want to argue the guy was an NSA plant trying to get a backdoor in, feel free. But don't expect to be taken seriously without some additional evidence. And it counted as "underhanded", how, exactly? In other words - under what conditions can you make a truncation to MAX_PATH cause an actual hole? And to count as "underhanded" rather than merely "buggy", you'd need at least a whiff of evidence that it was intentional. Or as Kohei replied to you: "The selinux_mnt is not a variable given by external one, unless application does not update it by itself. It is not difficult to modify this part to return ENAMETOOLONG when snprintf() returns larger or equal with PATH_MAX." In the Linux community, this would count as '-ENOPATCH', as I'm not finding where you ever submitted a patch to fix the issue.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Internet has vuln. coderman (Sep 06)
- Re: Internet has vuln. coderman (Sep 11)
- Re: Internet has vuln. coderman (Sep 11)
- Re: Internet has vuln. Steve Wray (Sep 12)
- Re: Internet has vuln. coderman (Sep 12)
- Re: Internet has vuln. coderman (Sep 12)
- Re: Internet has vuln. Valdis . Kletnieks (Sep 12)
- Re: Internet has vuln. Jeffrey Walton (Sep 12)
- Re: Internet has vuln. Valdis . Kletnieks (Sep 13)
- Re: Internet has vuln. Justin Ferguson (Sep 13)
- Re: Internet has vuln. Jeffrey Walton (Sep 13)
- Re: Internet has vuln. Justin Ferguson (Sep 13)
- Re: Internet has vuln. coderman (Sep 11)
- Re: Internet has vuln. coderman (Sep 11)
- Re: Internet has vuln. Tracy Reed (Sep 13)
- Re: Internet has vuln. Steve Wray (Sep 14)