|
Message-ID: <CAEZyo3ASqgsg1zD4nO7ShE8QS5yTPdiS6XPsG_d7EOZp8-aJYg@mail.gmail.com> Date: Tue, 9 Sep 2014 22:14:21 +0300 From: Mikko Korpela <mikko.korpela@...il.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: pinocchio tmp vuln "And we will need that because there are so many devices hitting the streets with so many noob vulns that it's only a matter of time before someone is killed." So umm.. Your saying that you guys are saving the world by finding out random packages that use easily guessable filenames from /tmp/ that everybody has access to? I think security (like safety) has its place, but it is largely context dependent - you don't put locks to every door in your house (or I hope you don't) or you end up spending all the time opening and closing them. I'm not arguing that the things you guys are talking about are not important in many contexts but test automation?? It is part of software development process - and in many cases requires that the system under test must be executed in some very unsecure way to enable access to the internals of the tested system. So in this place where these tests are executing (developers little sandbox that is far away from the evil world around us) if someone "evil" has access to the /tmp/ folder or the machine in any way then you are already screwed. So could someone please give me an example case of a test automation tool where removing a /tmp/ vuln would have had any significance? (By the way I kind of think that I'm saving the world also :P by giving people test automation tools so they can get bugs out of their software systems - and bugs really kill people) 2014-09-09 19:39 GMT+03:00 John Haxby <john.haxby@...cle.com>: > On 09/09/14 09:34, Steve Kemp wrote: >> I'm sure lots of >> modules exist created by inexperienced developers who haven't >> considered the implications of posting new code libraries. > > We see lots of people making the same mistakes over and over again. > > Apart from the obvious newbie mistakes of failing to create proper > temporary directories, we also get things like the slightly more subtle > shipping a "secure" web server with a fixed self-signed cert. Or > copying a user-supplied string into a MAXPATH+1 buffer because that's > long enough for any pathname. Or ... > > I don't need to go on, we've all seen them and Kurt highlighting > problems is all goodness because at least it gets people thinking a bit > more about security. And we will need that because there are so many > devices hitting the streets with so many noob vulns that it's only a > matter of time before someone is killed. > > jch -- Mikko Korpela
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.