Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
>* Theo de Raadt:
>
>> What if we ignore your procedures? What if we say no?
>
>You won't be told about bugs in the code you write. It's as simple as
>that.
>
>But I don't quite understand why Gadi is so thoroughly offended by the
>way how this vulnerability has been handled so far. The patches might
>be obscure, but at least there are official patches for older
>versions, too. And there is an official advisory. It could be far
>worse. The programmers of a rather popular kernel do not publish
>advisories at all, for instance.
I don't quite understand the complaints about "obscure" patches;
intricate bugs require elaborate patches; it's not a one line
sprintf->snprintf change that is easy to understand.
Because of the way the bug was addressed, ripping out setjmp/longjmp,
a lot of change is needed which is not immediately obvious.
But such is the nature of complicated bug fixes; sometimes one also needs
to rewrite parts in a more natural way or code will become increasingly
"patchy" and less maintainable.
Casper