Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Fwd: [greg at pryzby.org: Ubuntu, Dash, Shuttleworth and privacy]

Julian Oliver julian at julianoliver.com
Wed Feb 20 08:27:24 PST 2013


..on Wed, Feb 20, 2013 at 06:17:16PM +0200, Maxim Kammerer wrote:
> On Wed, Feb 20, 2013 at 5:49 PM, micah anderson <micah at riseup.net> wrote:
> > Developers never made a mistake leading to a security problem, so
> > Debian's one mistake in 2006 should be forever trotted out as an example
> > of how Debian sucks, good point.
> 
> I once needed to patch HTPdate [1], and immediately noticed two
> possibilities for buffer overflows. Immediately, because they are
> obvious to anyone who knows C — in line 243:
> 
>     if ( recv(server_s, buffer, BUFFERSIZE, 0) != -1 ) {
> 
> does not ensure NUL-termination of received input, and in lines 264–265:
> 
>         if ( (pdate = strstr(buffer, "Date: ")) != NULL ) {
>             strncpy(remote_time, pdate + 11, 24);
> 
> necessary size of buffer after "Date: " is not ensured.
> 
> I have sent a patch to the author of HTPdate, and he wrote back that a
> “Debian security administrator” already went over the code with him
> line-by-line.
> 
> So, for the record, there are at least *two* examples why Debian sucks
> security-wise.
> 
> [1] http://www.vervest.org/foswiki/bin/view/HTP/DownloadC

Did you file a bug? It doesn't look like you did. You should do it.

    http://www.debian.org/Bugs/

Filing a bug is a standard procedure which is the fastest and most responsible
means of getting a patch in and escalated in Debian GNU/Linux.

For all you know the author of HTpdate may not be telling the truth, that s/he
didn't contact any 'Debian security administrator' - I've never heard of such a
role. Debian packages have /maintainers/ not administrators. You ought to file a
bug so it reaches the package maintainer.

Frankly, you will always find exceptions to what is other wise a highly regarded
distribution, highly regarded enough for 70% or so of all other distributions to
use it as a base. 

A great many security conscious organisations run their internet-facing servers
on Debian GNU/Linux (Stable). More so, BackTrack is based on Debian, a
distribution used by countless data forensics people, pen-testers and security
auditors world wide. It's fairly widely trusted in the field.

Cheers,

-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org



More information about the liberationtech mailing list