|
Message-ID: <540F2D48.80707@oracle.com> Date: Tue, 09 Sep 2014 17:39:36 +0100 From: John Haxby <john.haxby@...cle.com> To: oss-security@...ts.openwall.com Subject: Re: pinocchio tmp vuln On 09/09/14 09:34, Steve Kemp wrote: > I'm sure lots of > modules exist created by inexperienced developers who haven't > considered the implications of posting new code libraries. We see lots of people making the same mistakes over and over again. Apart from the obvious newbie mistakes of failing to create proper temporary directories, we also get things like the slightly more subtle shipping a "secure" web server with a fixed self-signed cert. Or copying a user-supplied string into a MAXPATH+1 buffer because that's long enough for any pathname. Or ... I don't need to go on, we've all seen them and Kurt highlighting problems is all goodness because at least it gets people thinking a bit more about security. And we will need that because there are so many devices hitting the streets with so many noob vulns that it's only a matter of time before someone is killed. jch
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.