Hi Ulf,
On Mon, Jun 28, 2004 at 05:54:29PM +0200, Ulf Härnhammar wrote:
> > Some of the bugs I've come across could have
> > been found easily with an automated vulnerability scanner. Especially
> > stuff like passing user-controllable format strings to syslog() just
> > shouldn't happen any more..
>
> That's an interesting idea! I don't think we're quite ready to let the
> machines do all auditing by themselves (do Flawfinder or RATS obey
> Asimov's laws of robotics?).
;-)
I obviously meant not _completely_ automated.
> For one thing, I have found lots of code with potential format string
> bugs (syslog(LOG_MAIL, blah); or fprintf(stderr, blah); or whatever),
> which turned out to be sloppy programming and no security hole,
> because the user never got to control the value of blah.
One could argue that these are still bugs with security implications.
Some versions later, a sleepy developer may not remember the subtleness
and add an otherwise unsuspecting debugging statement that makes the
content controllable.
It's probably good in general to report these kind of corner-case bugs
to the upstream developers regardless of whether they are directly
exploitable, but then in practice I haven't really bothered to do that
myself either.
Cheers,
Max
--
308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC
|
