On Sun, Jul 30, 2006 at 01:51:48PM +0100, James Westby wrote:
> 3) The other package I have had some involvement with is munge[5]. There
> is also an open ITP for that[6], and I have been giving some
> packaging help to the owner. This seems like a new idea, and quite
> complex. I think it would make a very interesting package to look at.
> Unfortuanately there's no real documentation on the design of the
> system.
Now I've had the time to perform an audit of munge as well. I looked for
the normal bugs that I usually look for, and I didn't find anything. The
author is trying quite hard to be secure, and checks lengths and return
values in lots of places to avoid any possibility for overflows. A comment
even refers to David Wheeler's "Secure Programming for Linux and Unix HOWTO
-- Creating Secure Software". In summary, I think that it's a lot more
secure than some of the software already in Debian.
// Ulf
|
