Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Fwd: [greg at pryzby.org: Ubuntu, Dash, Shuttleworth and privacy]

Maxim Kammerer mk at dee.su
Wed Feb 20 08:17:16 PST 2013


On Wed, Feb 20, 2013 at 5:49 PM, micah anderson <micah at riseup.net> wrote:
> Developers never made a mistake leading to a security problem, so
> Debian's one mistake in 2006 should be forever trotted out as an example
> of how Debian sucks, good point.

I once needed to patch HTPdate [1], and immediately noticed two
possibilities for buffer overflows. Immediately, because they are
obvious to anyone who knows C — in line 243:

    if ( recv(server_s, buffer, BUFFERSIZE, 0) != -1 ) {

does not ensure NUL-termination of received input, and in lines 264–265:

        if ( (pdate = strstr(buffer, "Date: ")) != NULL ) {
            strncpy(remote_time, pdate + 11, 24);

necessary size of buffer after "Date: " is not ensured.

I have sent a patch to the author of HTPdate, and he wrote back that a
“Debian security administrator” already went over the code with him
line-by-line.

So, for the record, there are at least *two* examples why Debian sucks
security-wise.

[1] http://www.vervest.org/foswiki/bin/view/HTP/DownloadC

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte



More information about the liberationtech mailing list