[9659] in bugtraq
Re: [HERT] Advisory #002 Buffer overflow in lsof
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Fri Feb 19 14:11:15 1999
Date: Thu, 18 Feb 1999 17:11:41 -0700
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Gene Spafford <spaf@CS.PURDUE.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 18 Feb 1999 12:24:52 EST."
<199902181724.MAA15115@dorsai.cs.purdue.edu>
> People who publish bugs/exploits that are not being actively exploited
> *before* giving the vendor a chance to fix the flaws are clearly
> grandstanding. They're part of the problem -- not the solution.
No. The problem is badly written code.
It takes me about 2 minutes to find bugs in security related software.
I am assuming that I'm not the only person looking for these kinds of
bugs.
The REAL problem is software package maintainers who do not proactively
audit their software.
