On Wed, Feb 20, 2013 at 5:49 PM, micah anderson <mi...@riseup.net> wrote: > Developers never made a mistake leading to a security problem, so > Debian's one mistake in 2006 should be forever trotted out as an example > of how Debian sucks, good point.
I once needed to patch HTPdate [1], and immediately noticed two possibilities for buffer overflows. Immediately, because they are obvious to anyone who knows C — in line 243: if ( recv(server_s, buffer, BUFFERSIZE, 0) != -1 ) { does not ensure NUL-termination of received input, and in lines 264–265: if ( (pdate = strstr(buffer, "Date: ")) != NULL ) { strncpy(remote_time, pdate + 11, 24); necessary size of buffer after "Date: " is not ensured. I have sent a patch to the author of HTPdate, and he wrote back that a “Debian security administrator” already went over the code with him line-by-line. So, for the record, there are at least *two* examples why Debian sucks security-wise. [1] http://www.vervest.org/foswiki/bin/view/HTP/DownloadC -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech