[16985] in bugtraq
Re: Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp
daemon@ATHENA.MIT.EDU (Chris Evans)
Mon Oct 2 00:11:38 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0010012247170.17161-100000@ferret.lmh.ox.ac.uk>
Date: Sun, 1 Oct 2000 23:17:10 +0100
Reply-To: Chris Evans <chris@SCARY.BEASTS.ORG>
From: Chris Evans <chris@SCARY.BEASTS.ORG>
X-To: Paul Murphy <Paul.Murphy@GEMINI-GENOMICS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <s9d66b0b.016@groupwise.gemini-genomics.com>
On Sat, 30 Sep 2000, Paul Murphy wrote:
> Unless Chris can show that one of these variables can be influenced in
> some way which causes a security problem, its a non-issue. Without
> proving that such a problem exists, its worse than identifying a real
> security problem, since it maligns software which is actually pretty
> well written, and may cause a loss of confidence in it.
It is most certainly not a non-issue.
It's an "alertness" thing, not an exploitability thing. The presence of
these format string bugs shows a lack of security alertness, regardless of
whether or not these specific instances are exploitable.
I want to be using software on my servers which has vendors/teams who
actively monitor new potential threats, and quickly respond to them, plus
send notification out.
To be honest, very few people seem to be responding adequately to the
format strings threat. OpenBSD are the exception, of course ;-)
Cheers
Chris
