Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 09 Sep 2014 17:39:36 +0100
From: John Haxby <>
Subject: Re: pinocchio tmp vuln

On 09/09/14 09:34, Steve Kemp wrote:
>                                          I'm sure lots of
>  modules exist created by inexperienced developers who haven't
>  considered the implications of posting new code libraries.

We see lots of people making the same mistakes over and over again.

Apart from the obvious newbie mistakes of failing to create proper
temporary directories, we also get things like the slightly more subtle
shipping a "secure" web server with a fixed self-signed cert.   Or
copying a user-supplied string into a MAXPATH+1 buffer because that's
long enough for any pathname.   Or ...

I don't need to go on, we've all seen them and Kurt highlighting
problems is all goodness because at least it gets people thinking a bit
more about security.  And we will need that because there are so many
devices hitting the streets with so many noob vulns that it's only a
matter of time before someone is killed.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.