<<< Date Index >>>     <<< Thread Index >>>

Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)



>* Theo de Raadt:
>
>> What if we ignore your procedures?  What if we say no?
>
>You won't be told about bugs in the code you write.  It's as simple as
>that.
>
>But I don't quite understand why Gadi is so thoroughly offended by the
>way how this vulnerability has been handled so far.  The patches might
>be obscure, but at least there are official patches for older
>versions, too.  And there is an official advisory.  It could be far
>worse.  The programmers of a rather popular kernel do not publish
>advisories at all, for instance.

I don't quite understand the complaints about "obscure" patches;
intricate bugs require elaborate patches; it's not a one line
sprintf->snprintf change that is easy to understand.

Because of the way the bug was addressed, ripping out setjmp/longjmp,
a lot of change is needed which is not immediately obvious.

But such is the nature of complicated bug fixes; sometimes one also needs
to rewrite parts in a more natural way or code will become increasingly
"patchy" and less maintainable.

Casper