On Sun, Jan 15, 2006 at 09:46:33PM +0000, Steve Kemp wrote:
> On Sun, Jan 15, 2006 at 09:23:25PM +0100, Max Vozeler wrote:
>
> > attached are some bugs I've found in the last year and a half.
>
> Wow, that is a lot!
It's been a long time too :-)
> Right now I've kinda stalled because I find it difficult to do so.
> The pages on shellcode.org are much easier to update since the site
> is just a wiki. (Anybody who wants to update the list of advisories
> there is welcome to ask for a login; makes it easier to sync the two..)
I wouldn't mind that - you are referring to /security-advisories? I
prefer editing a Wiki over the wml markup used for the debian.org
pages which I have no experience with so far.
> Distressing to see a couple of new holes in previously auditied
> packages. Perhaps a time to ask for more eyes upon things..?
That can't be a bad thing in any case. I'm sure there are bugs that
I've overlooked or simply not understood in the programs I've looked
at. Sometimes it's probably just a matter of attention (or lack
thereof) during the audit, or experience with a particular technique
or class of bugs. Phantasmal's look at dlmalloc for example suddenly
proved a number of bugs to exploitable on glibc 2.3.5 that I thought
were not or no longer possible, and so there are likely to be other
bugs that look different to different people.
cheers,
Max
|
