Date: Fri, 12 Jan 2018 14:58:10 +0000 From: halfdog <me@...fdog.net> To: oss-security@...ts.openwall.com Subject: On reading, thinking, copying Hello list, After getting home from work (and after fixing my emulated server that could not handle the SSL handshakes any more), I was quite amused reading the references around yesterday's CVE-2018-1000001. Derived from that, here some hints to improve quality in security information handling: 1) The first link in an article usually is not the most important one. This is due to probability theory and correlates with the number of citations in the article. It even is less likely to be relevant, when the article starts citing the historic context - unless you are a software archeologist. 2) If the resource behind the first reference has some well-known name in the first few lines, you should not conclude, that this prooves the argument, you want to have prooven. You should still read, what this source says and put it in the context of the current argument. Otherwise you might end up at crap-press quality level: cite Harvard in the first line (no one will check the reference anyway) and the claim whatever you want. 3) There are quite some differences between an errant lxstat call and a buffer overflow. SOC members should know that. While the first by itself is just a bug and has zero security relevance when triggered in a fully user-controlled directory structure (proove me wrong), still the later might have quite severe security implications. 4) Just because someone else copied crap without thinking, you should not do the same. Here is a suboptimal Google dork to get an approximate ranking of the most popular copy-without-thinking sites related to this issue (and subtract automated feed forwarding and correct context citations by hand). https://www.google.com/search?q=%22CVE-2018-1000001%22+%22sourceware.org/bugzilla/show_bug.cgi%3Fid%3D18203%22&filter=0 hd
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ