[6701] in bugtraq
Re: [MORE] Lynx's 2.x buffers overflows
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Fri May 8 12:37:08 1998
Date: Thu, 7 May 1998 00:14:36 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Bela Lubkin <belal@SCO.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Wed, 06 May 1998 03:03:52 PDT."
<9805060303.aa20807@mammoth.sco.com>
> I am curious why these Lynx bugs are being reported to bugtraq, but not
> to the developers of Lynx. Likewise for bugs in anything else. Please
> have the courtesy to report them to the people who should be fixing
> them!
I have a very different take on all this.
Any software group shipping a piece of software today for which they
have not put even a minimal amount of effort at fixing the buffer
overflows ... isn't going to get much help from this community (or
from me).
A lot of these groups appear to be asking for messages telling them
where the bugs are. Do they want messages like "Oh, I found one
exploitable hole in about 4 minutes of searching, but I have not
looked at the other 180 blatently obvious buffer overflows I saw;
perhaps after you make your next release I'll spend another 4 minutes
and find another one".
I wish these software groups would put some effort into writing
quality code. If you can't or won't go into your own code and
properly constrain your memory accesses to the intended object, what
kind of programmers are you anyways?
Unbounded memory access problems are TRIVIAL to find and TRIVIAL to
fix, and the only reason this issue keeps coming up is because there's
a hell of a lot of really LAZY people out there.
